この大会は2024/10/18 23:00(JST)~2024/10/20 9:00(JST)に開催されました。
今回もチームで参戦。結果は1473点で1215チーム中211位でした。
自分で解けた問題をWriteupとして書いておきます。
Starter 1 (Starter 1)
Rules and Code of Conductのページの最下部にフラグが書いてあった。
flag{I_acknowledge_the_rules}
Starter 2 (Starter 2)
Ghost Townで「Where to even get started」という掲示板を見てみる。
投稿は1件だが、2回編集されている。最初の投稿の投稿者はdeadface、投稿日はJune 25となっている。
flag{deadface_0625}上記のフラグは通らないので、日付を1日前にしてみると、通った。
flag{deadface_0624}
Let Me In (TrendyTrove 15)
以下の情報を入力し、Loginボタンをクリックすると、ログインできた。
Username: ' or 1=1 -- - Password: a
ログイン後のページの「NeuraWave Sleep Enhancer」の商品の説明にフラグが書いてあった。
flag{Tr3ndy_Tr0v3_$QL_1nj3ct10n}
Big Fish (Phantom Operators 10)
httpでフィルタリングすると、/nc.exeをGETしているパケットがあることがわかる。
その通信先が攻撃者のIPアドレスで、以下の通りである。
45.55.201.188
flag{45.55.201.188}
Password (Phantom Operators 10)
httpでフィルタリングすると、/notice.htmlにPOSTしている以下のクレデンシャル情報がある。
Form item: "username" = "garry.sartoris@techglobalresearch.com" Form item: "password" = "S4rt0RIS19&&"
flag{S4rt0RIS19&&}
Data Breach (Traffic Analysis 25)
パケット詳細を"flag{"で検索すると、パケットNo3603のHTTPレスポンスヘッダ「Not-Suppose-To-Be-Here」にフラグが設定されていた。
flag{Information_disclosure_in_the_head}
Missing Pieces (Programming 10)
細かくCのコードを見ていないが、暗号化データとXOR鍵がわかっているので、XORで復号する。
#!/usr/bin/env python3 hex_string = 'b52195a4a82bc5ade23e9c9c8725c79cb07d90f0ae' key = 'd34df4c3' string = bytes.fromhex(hex_string) key = bytes.fromhex(key) flag = '' for i in range(len(string)): flag += chr(string[i] ^ key[i % len(key)]) print(flag)
flag{f1n1sh_Th3_c0d3}
SkyWave 1: High Tower (SkyWave 5)
SkyWaveシリーズの問題は、sshで接続すると、MySQLの環境になる。各問題では質問があるのでそれに対して答えていく。
この問題での質問は以下の通り。
What is the tower_id of the cell tower that sits at an approximate elevation of 220 ft?
Submit the flag as flag{tower_id}. Example: flag{10}.$ ssh skywave@skywave.deadface.io The authenticity of host 'skywave.deadface.io (68.183.137.215)' can't be established. ED25519 key fingerprint is SHA256:2fnu0gzMRT4c/l73QWN1CADTsaLJc6SIfMJh+BGiX70. This key is not known by any other names. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added 'skywave.deadface.io' (ED25519) to the list of known hosts. skywave@skywave.deadface.io's password: Linux dctf24-env1 6.1.0-26-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.112-1 (2024-09-30) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Fri Oct 18 14:54:29 2024 from 85.76.163.162 Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Welcome to the MariaDB monitor. Commands end with ; or \g. Your MySQL connection id is 367 Server version: 5.7.44 MySQL Community Server (GPL) Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MySQL [cell_tower_db]> show tables; +-------------------------+ | Tables_in_cell_tower_db | +-------------------------+ | Antennas | | Carriers | | Connections | | Device_Types | | Devices | | Operators | | Technicians | | Tower_Maintenance | | Tower_Sectors | | Towers | +-------------------------+ 10 rows in set (0.001 sec) MySQL [cell_tower_db]> select column_name from information_schema.columns where table_name = 'Towers'; +-----------------------+ | column_name | +-----------------------+ | tower_id | | location_name | | latitude | | longitude | | elevation | | tower_height | | operator_id | | status | | install_date | | last_maintenance_date | +-----------------------+ 10 rows in set (0.001 sec) MySQL [cell_tower_db]> select * from Towers where elevation >= 219 and elevation < 221; +----------+---------------+-----------+------------+-----------+--------------+-------------+--------+--------------+-----------------------+ | tower_id | location_name | latitude | longitude | elevation | tower_height | operator_id | status | install_date | last_maintenance_date | +----------+---------------+-----------+------------+-----------+--------------+-------------+--------+--------------+-----------------------+ | 215 | PA | 41.889883 | -77.442410 | 220.32 | 184.98 | 15 | active | 2005-09-21 | 2018-07-18 | +----------+---------------+-----------+------------+-----------+--------------+-------------+--------+--------------+-----------------------+ 1 row in set (0.001 sec)
およそ 220 フィートの高度にある携帯電話基地局の tower_id は 215 であることがわかった。
flag{215}
SkyWave 2: Trifecta (SkyWave 15)
この問題での質問は以下の通り。
We can assume that d34th used some kind of smart device or computer to conduct his attacks.
How many devices in the database are either a smart phone, a computer, or a tablet?
Submit the flag as flag{number}. Example: flag{10}.MySQL [cell_tower_db]> select * from Device_Types; +----------------+---------------------------+ | device_type_id | device_type_name | +----------------+---------------------------+ | 1 | smartphone | | 2 | mobile phone | | 3 | tablet | | 4 | computer | | 5 | iot | | 6 | modem | | 7 | gps fleet tracking device | | 8 | health monitoring device | | 9 | point of sale | | 10 | vehicle | +----------------+---------------------------+ 10 rows in set (0.001 sec) MySQL [cell_tower_db]> select * from Devices limit 1; +-----------+-----------------+----------------+--------------+-----------+------------+ | device_id | device_imei | device_type_id | manufacturer | model | carrier_id | +-----------+-----------------+----------------+--------------+-----------+------------+ | 1 | 605705343774826 | 5 | Technologia | Aether Z5 | 6 | +-----------+-----------------+----------------+--------------+-----------+------------+ 1 row in set (0.001 sec) MySQL [cell_tower_db]> select count(*) from Devices where device_type_id in (1, 3, 4); +----------+ | count(*) | +----------+ | 714 | +----------+ 1 row in set (0.002 sec)
データベース内のデバイスのうち、スマートフォン、コンピューター、またはタブレットは714個あるとわかった。
flag{714}
SkyWave 7: Bad Handwriting (SkyWave 30)
この問題での質問は以下の通り。
One of the technicians performed maintenance on Tower 133 on August 26, 2024, but the technician's handwriting on the repair log cannot be deciphered.
What is the employee number of the employee who conducted maintenance on that tower and on that date?
Submit the flag as flag{employee_number}. Example: flag{T123456789}.MySQL [cell_tower_db]> select * from Tower_Maintenance limit 1; +----------------+----------+----------------------------+------------------+---------------+ | maintenance_id | tower_id | maintenance_type | maintenance_date | technician_id | +----------------+----------+----------------------------+------------------+---------------+ | 1 | 175 | Tower structure inspection | 2022-02-21 | 103 | +----------------+----------+----------------------------+------------------+---------------+ 1 row in set (0.000 sec) MySQL [cell_tower_db]> select * from Tower_Maintenance where tower_id = 133 and maintenance_date = '2024-08-26'; +----------------+----------+------------------+------------------+---------------+ | maintenance_id | tower_id | maintenance_type | maintenance_date | technician_id | +----------------+----------+------------------+------------------+---------------+ | 522 | 133 | Miscellaneous | 2024-08-26 | 323 | +----------------+----------+------------------+------------------+---------------+ 1 row in set (0.002 sec) MySQL [cell_tower_db]> select * from Technicians limit 1; +---------------+------------+-----------+----------------+-----------------+--------------+-------+-------------+-----------------+ | technician_id | first_name | last_name | contact_number | street | city | state | postal_code | employee_number | +---------------+------------+-----------+----------------+-----------------+--------------+-------+-------------+-----------------+ | 1 | Si | Manicomb | 215-250-8556 | 88605 Maple Way | Philadelphia | PA | 19178 | T232486186 | +---------------+------------+-----------+----------------+-----------------+--------------+-------+-------------+-----------------+ 1 row in set (0.000 sec) MySQL [cell_tower_db]> select * from Technicians where technician_id = 323; +---------------+------------+-----------+----------------+--------------------------+------------+-------+-------------+-----------------+ | technician_id | first_name | last_name | contact_number | street | city | state | postal_code | employee_number | +---------------+------------+-----------+----------------+--------------------------+------------+-------+-------------+-----------------+ | 323 | Marena | Polson | 717-697-8170 | 625 Manufacturers Avenue | Harrisburg | PA | 17121 | T263739990 | +---------------+------------+-----------+----------------+--------------------------+------------+-------+-------------+-----------------+ 1 row in set (0.017 sec)
2024年8月26日にタワー133のメンテナンスを実施した従業員の従業員番号は T263739990 であることがわかった。
flag{T263739990}
SkyWave 9: Updates (SkyWave 30)
この問題での質問は以下の通り。
How many towers received software updates?
Submit the flag as flag{number}. Example: flag{10}.MySQL [cell_tower_db]> select * from Tower_Maintenance; +----------------+----------+--------------------------------------+------------------+---------------+ | maintenance_id | tower_id | maintenance_type | maintenance_date | technician_id | +----------------+----------+--------------------------------------+------------------+---------------+ | 1 | 175 | Tower structure inspection | 2022-02-21 | 103 | | 2 | 14 | Grounding and lightning protection | 2022-02-22 | 261 | | 3 | 196 | Miscellaneous | 2023-08-27 | 14 | | 4 | 214 | Routine cable inspection | 2023-07-16 | 205 | | 5 | 96 | Tower structure inspection | 2024-01-16 | 156 | : : : | 1207 | 204 | Backup power system testing | 2023-01-19 | 305 | | 1208 | 100 | Routine antenna inspection | 2023-06-23 | 134 | | 1209 | 200 | Condition monitoring | 2024-02-25 | 156 | | 1210 | 177 | Software updates | 2023-12-19 | 33 | | 1211 | 52 | Routine cable inspection | 2022-02-24 | 152 | | 1212 | 40 | Component replacement | 2022-01-02 | 244 | | 1213 | 119 | Capacity expansion | 2022-01-12 | 244 | | 1214 | 191 | Routine cable inspection | 2024-02-28 | 69 | | 1215 | 183 | Technology upgrades | 2024-05-29 | 205 | +----------------+----------+--------------------------------------+------------------+---------------+ 1215 rows in set (0.002 sec) MySQL [cell_tower_db]> select count(distinct tower_id) from Tower_Maintenance where maintenance_type = 'Software updates'; +--------------------------+ | count(distinct tower_id) | +--------------------------+ | 70 | +--------------------------+ 1 row in set (0.001 sec)
ソフトウェアアップデートを受信したタワーの数は 70 であることがわかった。
flag{70}
SkyWave 3: Rabbit Ears (SkyWave 80)
この問題での質問は以下の通り。
Florian Olyff operates several towers.
What is the most commonly used antenna type (name) on the towers she manages?
Submit the flag as flag{antenna_name number}. Example: flag{Long Antenna 5}.MySQL [cell_tower_db]> select * from Operators limit 1; +-------------+------------+-----------+-----------------+ | operator_id | first_name | last_name | employee_number | +-------------+------------+-----------+-----------------+ | 1 | Olia | Rittmeyer | 6804597791 | +-------------+------------+-----------+-----------------+ 1 row in set (0.000 sec) MySQL [cell_tower_db]> select * from Operators where first_name = 'Florian' and last_name = 'Olyff'; +-------------+------------+-----------+-----------------+ | operator_id | first_name | last_name | employee_number | +-------------+------------+-----------+-----------------+ | 4 | Florian | Olyff | 3223634520 | +-------------+------------+-----------+-----------------+ 1 row in set (0.001 sec) MySQL [cell_tower_db]> select * from Towers where operator_id = 4; +----------+---------------+-----------+------------+-----------+--------------+-------------+--------+--------------+-----------------------+ | tower_id | location_name | latitude | longitude | elevation | tower_height | operator_id | status | install_date | last_maintenance_date | +----------+---------------+-----------+------------+-----------+--------------+-------------+--------+--------------+-----------------------+ | 189 | PA | 40.725061 | -76.969425 | 36.19 | 88.71 | 4 | active | 2011-02-09 | 2023-08-24 | +----------+---------------+-----------+------------+-----------+--------------+-------------+--------+--------------+-----------------------+ 1 row in set (0.001 sec) MySQL [cell_tower_db]> select * from Tower_Sectors limit 1; +-----------+----------+---------+------------+----------------+--------------+ | sector_id | tower_id | azimuth | antenna_id | frequency_band | power_output | +-----------+----------+---------+------------+----------------+--------------+ | 1 | 1 | 0.00 | 3 | C-band | 9.90 | +-----------+----------+---------+------------+----------------+--------------+ 1 row in set (0.000 sec) MySQL [cell_tower_db]> select antenna_id, count(*) from Tower_Sectors where tower_id = 189 group by antenna_id order by count(*) desc limit 1; +------------+----------+ | antenna_id | count(*) | +------------+----------+ | 9 | 3 | +------------+----------+ 1 row in set (0.001 sec) MySQL [cell_tower_db]> select * from Antennas limit 1; +------------+-----------------+ | antenna_id | antenna_name | +------------+-----------------+ | 1 | Omnidirectional | +------------+-----------------+ 1 row in set (0.000 sec) MySQL [cell_tower_db]> select * from Antennas where antenna_id = 9; +------------+---------------------------------------+ | antenna_id | antenna_name | +------------+---------------------------------------+ | 9 | Multiple Input Multiple Output (MIMO) | +------------+---------------------------------------+ 1 row in set (0.000 sec)
Florian Olyff が管理するタワーで最もよく使用されているアンテナの種類(名前)は Multiple Input Multiple Output (MIMO) で、3個使わていることがわかった。
flag{Multiple Input Multiple Output (MIMO) 3}
SkyWave 4: Longest Run (SkyWave 120)
この問題での質問は以下の通り。
We need to determine which device had the longest running connection out of the towers with the following coordinates:
(41.639642, -79.220682)
(40.598271, -78.801089)
(41.045892, -79.068358)
(41.257279, -77.529468)
Additionally, let’s focus on only finding the longest running connection with a dBm greater than -100.
Submit the flag as flag{device_imei}. Example: flag{123456789012345}.MySQL [cell_tower_db]> select * from Towers where latitude in (41.639642, 40.598271, 41.045892, 41.257279); +----------+---------------+-----------+------------+-----------+--------------+-------------+--------+--------------+-----------------------+ | tower_id | location_name | latitude | longitude | elevation | tower_height | operator_id | status | install_date | last_maintenance_date | +----------+---------------+-----------+------------+-----------+--------------+-------------+--------+--------------+-----------------------+ | 105 | PA | 41.639642 | -79.220682 | 62.97 | 126.24 | 36 | active | 2016-03-22 | 2020-06-26 | | 123 | PA | 40.598271 | -78.801089 | 193.47 | 74.66 | 119 | active | 2000-10-11 | 2021-02-15 | | 187 | PA | 41.045892 | -79.068358 | 97.85 | 147.16 | 60 | active | 2010-04-07 | 2018-11-24 | | 200 | PA | 41.257279 | -77.529468 | 135.44 | 143.88 | 46 | active | 2009-02-01 | 2020-03-01 | +----------+---------------+-----------+------------+-----------+--------------+-------------+--------+--------------+-----------------------+ 4 rows in set (0.001 sec) MySQL [cell_tower_db]> select * from Connections limit 1; +---------------+-----------+----------+-----------+---------------------+-----------------+---------------------+ | connection_id | device_id | tower_id | sector_id | connection_time | signal_strength | connection_duration | +---------------+-----------+----------+-----------+---------------------+-----------------+---------------------+ | 1 | 2329 | 30 | 177 | 2024-09-07 17:38:55 | -116.51 | 9074 | +---------------+-----------+----------+-----------+---------------------+-----------------+---------------------+ 1 row in set (0.000 sec) MySQL [cell_tower_db]> select * from Connections where tower_id in (105, 123, 187, 200) and signal_strength > -100 order by connection_duration desc limit 1; +---------------+-----------+----------+-----------+---------------------+-----------------+---------------------+ | connection_id | device_id | tower_id | sector_id | connection_time | signal_strength | connection_duration | +---------------+-----------+----------+-----------+---------------------+-----------------+---------------------+ | 5169 | 344 | 200 | 1211 | 2024-09-07 19:06:39 | -89.43 | 85709 | +---------------+-----------+----------+-----------+---------------------+-----------------+---------------------+ 1 row in set (0.002 sec) MySQL [cell_tower_db]> select * from Devices where device_id = '344'; +-----------+-----------------+----------------+--------------+---------+------------+ | device_id | device_imei | device_type_id | manufacturer | model | carrier_id | +-----------+-----------------+----------------+--------------+---------+------------+ | 344 | 845303290931675 | 2 | CosmoTech | Nova 15 | 4 | +-----------+-----------------+----------------+--------------+---------+------------+ 1 row in set (0.000 sec)
指定の座標を持つタワーでdBmが-100を超えるデバイスのうち、最も長く接続されていたものをIMEI番号は 845303290931675 であることがわかった。
flag{845303290931675}
SkyWave 5: Connections (SkyWave 200)
この問題での質問は以下の通り。
We’re running with an assumption that d34th drove around and connected to various cell towers the day leading up to the attack.
We need you to determine which device IMEI connected to the most unique towers on September 7 from 16:10 to 18:54.
Submit the flag as flag{device_imei}. Example: flag{123456789012345}.MySQL [cell_tower_db]> select device_id, count(distinct(tower_id)) from Connections where connection_time > '2024-09-07 16:10' and connection_time < '2024-09-07 18:54' group by device_id order by count(distinct(tower_id)) desc limit 5; +-----------+---------------------------+ | device_id | count(distinct(tower_id)) | +-----------+---------------------------+ | 2279 | 5 | | 2325 | 5 | | 2321 | 4 | | 2329 | 4 | | 2232 | 4 | +-----------+---------------------------+ 5 rows in set (0.010 sec) MySQL [cell_tower_db]> select * from Devices where device_id in (2279, 2325); +-----------+-----------------+----------------+--------------+------------+------------+ | device_id | device_imei | device_type_id | manufacturer | model | carrier_id | +-----------+-----------------+----------------+--------------+------------+------------+ | 2279 | 643366592089524 | 6 | SynergyTech | Aether 11 | 8 | | 2325 | 377494868035375 | 1 | Veridian | Verdant X6 | 6 | +-----------+-----------------+----------------+--------------+------------+------------+ 2 rows in set (0.010 sec)
9月7日の16:10から18:54の間に、最も多くの基地局に接続したデバイスのIMEI番号は 643366592089524 または377494868035375 であることがわかった。
まず以下をSubmitしてみる。
flag{643366592089524}上記のフラグは通らないので、もう一つの方のIMEI番号をSumitしてみたら通った。
flag{377494868035375}
Landing Zone (Hostbusters 5)
$ ssh deephax@deephax.deadface.io The authenticity of host 'deephax.deadface.io (68.183.137.215)' can't be established. ED25519 key fingerprint is SHA256:2fnu0gzMRT4c/l73QWN1CADTsaLJc6SIfMJh+BGiX70. This key is not known by any other names. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added 'deephax.deadface.io' (ED25519) to the list of known hosts. deephax@deephax.deadface.io's password: Linux dctf24-env1 6.1.0-26-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.112-1 (2024-09-30) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Sat Oct 19 07:21:37 2024 from 103.57.224.70 ~ $ ls flag1.txt hint.txt ~ $ cat flag1.txt flag{hostbusters1_e361b9b8352eea50}
flag{hostbusters1_e361b9b8352eea50}
Mind Your Surroundings (Hostbusters 25)
~ $ env USER=deephax SHLVL=2 HOME=/home/deephax OLDPWD=/sys PAGER=less LOGNAME=deephax TERM=xterm LC_COLLATE=C PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin LANG=C.UTF-8 flag3=flag{hostbusters3_ff07d6fb5ee992f6} SHELL=/bin/sh PWD=/home/deephax CHARSET=UTF-8
flag{hostbusters3_ff07d6fb5ee992f6}
dead_browse 1 (dead_browse 100)
Ghidraでデコンパイルする。
void FUN_00102b0c(char *param_1) { int iVar1; size_t sVar2; size_t sVar3; long in_FS_OFFSET; undefined8 local_56; undefined4 local_4e; undefined2 local_4a; undefined8 local_48; undefined8 local_40; undefined8 local_38; undefined4 local_30; undefined local_2c; long local_20; local_20 = *(long *)(in_FS_OFFSET + 0x28); local_48 = 0x5621161e143e150b; local_40 = 0xd54144a0e462c26; local_38 = 0x463b471620501340; local_30 = 0x4011609; local_2c = 0; local_56 = 0x65726365735f796d; local_4e = 0x656b5f74; local_4a = 0x79; puts("Checking user key..."); sVar2 = strlen((char *)&local_56); sVar3 = strlen(param_1); FUN_00102aa1(param_1,&local_56,sVar3,sVar2); iVar1 = strcmp((char *)&local_48,param_1); if (iVar1 == 0) { printf("good key"); } if (local_20 != *(long *)(in_FS_OFFSET + 0x28)) { /* WARNING: Subroutine does not return */ __stack_chk_fail(); } return; } void FUN_00102aa1(long param_1,long param_2,ulong param_3,ulong param_4) { ulong local_10; for (local_10 = 0; local_10 < param_3; local_10 = local_10 + 1) { *(byte *)(local_10 + param_1) = *(byte *)(local_10 + param_1) ^ *(byte *)(param_2 + local_10 % param_4); } return; }
local_48以降とlocal_56以降の繰り返しをXORすればkeyがわかり、それがフラグになった。
#!/usr/bin/env python3 key = (0x65726365735f796d).to_bytes(8, 'little') key += (0x656b5f74).to_bytes(4, 'little') key += (0x79).to_bytes(1, 'little') enc = (0x5621161e143e150b).to_bytes(8, 'little') enc += (0xd54144a0e462c26).to_bytes(8, 'little') enc += (0x463b471620501340).to_bytes(8, 'little') enc += (0x4011609).to_bytes(4, 'little') flag = b'' for i in range(len(enc)): flag += bytes([enc[i] ^ key[i % len(key)]]) flag = flag.decode() print(flag)
flag{uS3Rs-k3y-R3v3Rs3d-lol}
Cereal Killer 01 (Cereal Killer 25)
Ghidraでデコンパイルする。
undefined4 FUN_0001148d(undefined4 param_1,undefined4 param_2) { size_t sVar1; undefined4 uVar2; int iVar3; undefined4 *puVar4; int in_GS_OFFSET; undefined4 local_558 [38]; undefined4 local_4c0; undefined4 local_4bc; undefined local_4b8; undefined4 local_4b7; undefined4 local_4b3; undefined local_4af; undefined4 local_4ae; undefined4 local_4aa; undefined4 local_4a6; undefined4 local_4a2; undefined4 local_49e; undefined4 local_49a; undefined4 local_496; undefined4 local_492; undefined4 local_48e; undefined4 local_48a; undefined4 local_486; undefined4 local_482; undefined4 local_47e; undefined4 local_47a; undefined4 local_476; undefined4 local_472; undefined4 local_46e; undefined4 local_46a; undefined4 local_466; undefined4 local_462; undefined4 local_45e; undefined4 local_45a; undefined4 local_456; undefined local_452; undefined4 local_451; undefined4 local_44d; undefined4 local_449; undefined4 local_445; undefined4 local_441; undefined4 local_43d; undefined4 local_439; undefined4 local_435; undefined4 local_431; undefined4 local_42d; undefined4 local_429; undefined local_425; undefined4 local_424; undefined4 local_420 [255]; int local_24; undefined *local_14; local_14 = (undefined *)¶m_1; local_24 = *(int *)(in_GS_OFFSET + 0x14); local_424 = 0; puVar4 = local_420; for (iVar3 = 0xff; iVar3 != 0; iVar3 = iVar3 + -1) { *puVar4 = 0; puVar4 = puVar4 + 1; } local_4ae = 0; local_4aa = 0; local_4a6 = 0; local_4a2 = 0; local_49e = 0; local_49a = 0; local_496 = 0; local_492 = 0; local_48e = 0; local_48a = 0; local_486 = 0; local_482 = 0; local_47e = 0; local_47a = 0; local_476 = 0; local_472 = 0; local_46e = 0; local_46a = 0; local_466 = 0; local_462 = 0; local_45e = 0; local_45a = 0; local_456 = 0; local_452 = 0; local_451 = 0; local_44d = 0; local_449 = 0; local_445 = 0; local_441 = 0; local_43d = 0; local_439 = 0; local_435 = 0; local_431 = 0; local_42d = 0; local_429 = 0; local_425 = 0; local_4c0 = 0; local_4bc = 0; local_4b8 = 0; local_4b7 = 0; local_4b3 = 0; local_4af = 0; puVar4 = local_558; for (iVar3 = 0x26; iVar3 != 0; iVar3 = iVar3 + -1) { *puVar4 = 0; puVar4 = puVar4 + 1; } FUN_0001133f("8f33044fb9b1822d1e4408fc9121188a8a7695503d2ec74d97d4480747e1fb2b7d999f4af3f6a2b7202a 73d3" ,&local_47e); puts("This year, America\'s politicians are weighing in on the IMPORTANT issues...!"); puts("As in, which spooky cereal is best?"); puts("Mr. Robert F. Kennedy, Jr. has a favorite spooky cereal. Tear apart this"); puts("binary and see if you can figure out what it is!"); puts("\n"); printf("Please enter the password: "); __isoc99_scanf("%1023[^\n]",&local_424); FUN_0001123d(&local_424); FUN_000113ec(&local_424,&local_4b7,0xd); iVar3 = strncmp((char *)&local_4b7,"obboreel",8); if (iVar3 == 0) { FUN_000113ec(&local_4b7,&local_4c0,0x19); puts("\n"); puts("CONSPIRACY THEORY ACCESS GRANTED, Mr. Kennedy!!!"); printf("Here is your booster shot for today! Have a nice breakfast, Sir! "); puts("\n\n*********** FLAG INNOCULATED!!! ***********\n"); FUN_00012523(local_558); sVar1 = strlen((char *)&local_4c0); FUN_0001256e(local_558,&local_4c0,sVar1); FUN_00012695(&local_48e,local_558); FUN_00012935(&local_47e,0x2c,&local_48e,0x10,&local_451); printf("%s",&local_451); puts("\n\n*********** FLAG INNOCULATED!!! ***********\n"); } else { puts("ACCESS DENIED!!!"); } uVar2 = 0; if (local_24 != *(int *)(in_GS_OFFSET + 0x14)) { uVar2 = FUN_00012bf0(); } return uVar2; } void FUN_0001123d(char *param_1) { int iVar1; char *local_14; size_t local_10; local_14 = param_1; local_10 = strlen(param_1); while (iVar1 = isspace((int)param_1[local_10 - 1]), iVar1 != 0) { local_10 = local_10 - 1; param_1[local_10] = '\0'; } while ((*local_14 != '\0' && (iVar1 = isspace((int)*local_14), iVar1 != 0))) { local_14 = local_14 + 1; local_10 = local_10 - 1; } memmove(param_1,local_14,local_10 + 1); return; } void FUN_000113ec(char *param_1,char *param_2,int param_3) { int iVar1; int local_10; for (local_10 = 0; (*param_1 != '\0' && (local_10 < 8)); local_10 = local_10 + 1) { iVar1 = islower((int)*param_1); if (iVar1 == 0) { *param_2 = *param_1; } else { iVar1 = *param_1 + -0x61 + param_3; *param_2 = (char)iVar1 + (char)(iVar1 / 0x1a) * -0x1a + 'a'; } param_1 = param_1 + 1; param_2 = param_2 + 1; } *param_2 = '\0'; return; }
パスワードは"obboreel"をrot13したものなので、https://www.geocachingtoolbox.com/index.php?lang=en&page=caesarCipherで求めると、以下のようになる。
booberry
あとはこれをパスワードして入力すれば、フラグが得られる。
$ ./ck-2024-re04 This year, America's politicians are weighing in on the IMPORTANT issues...! As in, which spooky cereal is best? Mr. Robert F. Kennedy, Jr. has a favorite spooky cereal. Tear apart this binary and see if you can figure out what it is! Please enter the password: booberry CONSPIRACY THEORY ACCESS GRANTED, Mr. Kennedy!!! Here is your booster shot for today! Have a nice breakfast, Sir! *********** FLAG INNOCULATED!!! *********** flag{The-M0st-Fam0us-Nephew-Loves-B00B3rry!} *********** FLAG INNOCULATED!!! ***********
flag{The-M0st-Fam0us-Nephew-Loves-B00B3rry!}
Cereal Killer 05 (Cereal Killer 200)
public class RE08 { private static final byte[] encryptedURL = {42, 6, 68, 64, 7, 120, 93, 31, 83, 17, 48, 23, 81, 92, 90, 46, 11, 68, 68, 27, 44, 30, 81, 82, 7, 108, 29, 66, 87, 91, 33, 23, 66, 85, 21, 46, 1, 31, 86, 6, 45, 29, 68, 82, 6, 45, 29, 68, 30, 30, 50, 23, 87}; private static final String encryptedFlag = "Tj/BJ+45Z45uRCFpuFOHirQI34ZC7bmtpCtJ3OE613fIxqrsZwIoLNSBXSjtPONFqZF3gC+4glh1Gyi2RBKZcuItH8s="; private static final String ivBase64 = "qHttv1t5TWZLDM4e"; public static void main(String[] strArr) { try { Scanner scanner = new Scanner(System.in); System.out.print("President Donald Trump has a favorite cereal. It is great... really great...\n"); System.out.print("The reason it is so great, is because HE likes it... that makes it reall great...\n"); System.out.print("Of course, to maintain utmost secrecy, it is protected with a password that is\n"); System.out.print("HIGHLY secure (and backed up securely on a piece of paper somewhere in Mar Lago...)\n"); System.out.print("Now, you, being a highly trained hacker, should be able to BYPASS this security and\n"); System.out.print("discover what President Trump's favorite monster cereal is.\n"); System.out.print("\n"); System.out.print("Enter password: "); String str = new String(decryptURL(encryptedURL, scanner.nextLine())); if (str.startsWith("https")) { System.out.println("Decrypted URL: " + str); System.out.println("Decrypted Flag: " + decryptFlagWithAESGCM(calculateSHA256(downloadImage(str)), encryptedFlag, ivBase64)); } else { System.out.println("Sorry, that is not the correct password."); } } catch (Exception e) { e.printStackTrace(); } } private static byte[] decryptURL(byte[] bArr, String str) { byte[] bArr2 = new byte[bArr.length]; for (int i = 0; i < bArr.length; i++) { bArr2[i] = (byte) (bArr[i] ^ str.charAt(i % str.length())); } return bArr2; } private static String downloadImage(String str) throws IOException { URL url = new URL(str); File file = new File("downloaded_image.jpg"); if (file.exists()) { file.delete(); } InputStream openStream = url.openStream(); try { Files.copy(openStream, Paths.get("downloaded_image.jpg", new String[0]), new CopyOption[0]); if (openStream != null) { openStream.close(); } return "downloaded_image.jpg"; } catch (Throwable th) { if (openStream != null) { try { openStream.close(); } catch (Throwable th2) { th.addSuppressed(th2); } } throw th; } } private static byte[] calculateSHA256(String str) throws Exception { return MessageDigest.getInstance("SHA-256").digest(Files.readAllBytes(Paths.get(str, new String[0]))); } private static String decryptFlagWithAESGCM(byte[] bArr, String str, String str2) throws Exception { byte[] decode = Base64.getDecoder().decode(str2); byte[] decode2 = Base64.getDecoder().decode(str); SecretKeySpec secretKeySpec = new SecretKeySpec(bArr, "AES"); Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding"); cipher.init(2, secretKeySpec, new GCMParameterSpec(128, decode)); return new String(cipher.doFinal(decode2), "UTF-8"); } }
encryptedURLの値と平文のURLが"https://"で始まることからXORでpasswordを割り出す。
#!/usr/bin/env python3 encURL = [42, 6, 68, 64, 7, 120, 93, 31, 83, 17, 48, 23, 81, 92, 90, 46, 11, 68, 68, 27, 44, 30, 81, 82, 7, 108, 29, 66, 87, 91, 33, 23, 66, 85, 21, 46, 1, 31, 86, 6, 45, 29, 68, 82, 6, 45, 29, 68, 30, 30, 50, 23, 87] headURL = b'https://' password = b'' for i in range(len(headURL)): password += bytes([encURL[i] ^ headURL[i]]) assert password[:3] == password[5:8] password = password[:5].decode() print(password)
この結果、パスワードは以下の文字列であることがわかる。
Br00t
あとはこれをパスワードして入力すれば、フラグが得られる。
$ java -jar cerealkiller05.jar Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true President Donald Trump has a favorite cereal. It is great... really great... The reason it is so great, is because HE likes it... that makes it reall great... Of course, to maintain utmost secrecy, it is protected with a password that is HIGHLY secure (and backed up securely on a piece of paper somewhere in Mar Lago...) Now, you, being a highly trained hacker, should be able to BYPASS this security and discover what President Trump's favorite monster cereal is. Enter password: Br00t Decrypted URL: https://cereal.lyttonlabs.org/cereals/frootbroot.jpeg Decrypted Flag: flag{Fr00t-Br00t-is-the-only-cereal-for-Prez-Trump!}
flag{Fr00t-Br00t-is-the-only-cereal-for-Prez-Trump!}
Mal-Where is My Mind 00 (Mal-Where is My Mind 30)
パスワード"infected"でzipを解凍すると、Deadface_RAT.exeとflag00.txtが展開され、flag00.txtにフラグが書いてあった。
flag{How_can_I_describe_my_emotions_at_this_catastrophe}
Mal-Where is My Mind 01 (Mal-Where is My Mind 50)
Ghidraでデコンパイルする。
int __cdecl main(int _Argc,char **_Argv,char **_Env) { LSTATUS LVar1; int iVar2; size_t sVar3; undefined4 in_register_0000000c; BYTE *lpData; char local_5c8 [272]; char local_4b8 [272]; BYTE local_3a8 [284]; DWORD local_28c; HKEY local_288; HKEY local_280; char local_278 [56]; char *local_240; char *local_238; char *local_230; char *local_228; char *local_220; char *local_218; char *local_210; char *local_208; char *local_200; char *local_1f8; char *local_1f0; char *local_1e8; char *local_1e0; char *local_1d8; char *local_1d0; char *local_1c8; char *local_1c0; char *local_1b8; char *local_1b0; char *local_1a8; char *local_1a0; char *local_198; char *local_190; char *local_188; char *local_180; char *local_178; char *local_170; char *local_168; char *local_160; char *local_158; char *local_150; char *local_148; char *local_140; char *local_138; char *local_130; char *local_128; char *local_120; char *local_118; char *local_110; LSTATUS local_104; char *local_100; longlong local_f8; char *local_f0; char *local_e8; longlong local_e0; char *local_d8; FILE *local_d0; char *local_c8; char *local_c0; char *local_b8; char *local_b0; char *local_a8; char *local_a0; char *local_98; char *local_90; char *local_88; char *local_80; char *local_78; size_t local_70; size_t local_68; size_t local_60; char *local_58; char *local_50; void *local_48; size_t local_40; size_t local_38; size_t local_30; size_t local_28; char *local_20; char *local_18; char *local_10; __main(CONCAT44(in_register_0000000c,_Argc)); local_10 = "01 - flag{Jack"; local_18 = "_Torrance_thought:"; local_20 = "_Officious_little_prick}"; local_28 = strlen("01 - flag{Jack"); local_30 = strlen(local_18); local_38 = strlen(local_20); local_40 = local_38 + local_28 + local_30 + 1; local_48 = malloc(local_40); puts("You wanted this to be easy?"); local_50 = getenv("USERPROFILE"); local_58 = "\\flag.txt"; local_60 = strlen(local_50); local_68 = strlen(local_58); local_70 = local_68 + local_60 + 1; local_78 = (char *)malloc(local_70); local_80 = "lfaGV"; local_88 = "50X3Rv"; local_90 = "BmbGFn"; local_98 = "="; local_a0 = "9u4oCZ"; local_a8 = "dF93YW"; local_b0 = "e0lfZG"; local_b8 = "X3N0YX"; local_c0 = "yZX0"; local_c8 = "MDIgLS"; strcpy(local_78,local_50); strcat(local_78,local_58); strcat(local_278,local_c8); strcat(local_278,local_90); strcat(local_278,local_b0); strcat(local_278,local_a0); strcat(local_278,local_a8); strcat(local_278,local_88); strcat(local_278,local_b8); strcat(local_278,local_80); strcat(local_278,local_c0); strcat(local_278,local_98); local_d0 = fopen(local_78,"w"); fprintf(local_d0,local_278); fclose(local_d0); local_d8 = "SOFTWARE\\Discord"; LVar1 = RegOpenKeyExA((HKEY)0xffffffff80000001,"SOFTWARE\\Discord",0,1,&local_280); local_e0 = (longlong)LVar1; local_e8 = "Discord"; local_f0 = "Moreau"; LVar1 = RegCreateKeyExA(local_280,"Moreau",0,(LPSTR)0x0,1,0xf003f,(LPSECURITY_ATTRIBUTES)0x0, &local_288,&local_28c); local_f8 = (longlong)LVar1; local_100 = "Vivisect"; memcpy(local_3a8, "48 51 32 45 32 102 108 97 103 123 73 95 100 111 95 110 111 116 95 112 114 111 112 111 115 101 95 116 111 95 97 100 100 95 97 110 121 116 104 105 110 103 95 116 111 95 119 104 97 116 95 104 97 115 95 97 108 114 101 97 100 121 95 98 101 101 110 95 119 114 105 116 116 101 11 0 125" ,0x116); sVar3 = strlen((char *)local_3a8); lpData = local_3a8; local_104 = RegSetValueExA(local_288,local_100,0,1,lpData,(int)sVar3 + 1); RegCloseKey(local_280); local_110 = "/2b/62"; local_118 = "/32/72"; local_120 = "/45/22"; local_128 = "/49/64"; local_130 = "/35/46"; local_138 = "/49/39"; local_140 = "/49/62"; local_148 = "/2b/61"; local_150 = "/49/60"; local_158 = "/35/44"; local_160 = "/23/40"; local_168 = "/32/72"; local_170 = "/22/62"; local_178 = "/35/39"; local_180 = "/2b/40"; local_188 = "/33/3f"; local_190 = "/32/27"; local_198 = "/2b/28"; local_1a0 = "/2b/3e"; local_1a8 = "/2b/61"; local_1b0 = "/79/61"; local_1b8 = "/79/61"; local_1c0 = "/35/76"; local_1c8 = "/5f/6c"; local_1d0 = "/64/39"; local_1d8 = "/68/45"; local_1e0 = "/2b/3e"; local_1e8 = "/35/28"; local_1f0 = "/49/40"; local_1f8 = "/35/27"; local_200 = "/64/37"; local_208 = "/68/24"; local_210 = "/39/37"; local_218 = "/35/46"; local_220 = "/2a/28"; local_228 = "/35/61"; local_230 = "/29/61"; local_238 = "/75/3f"; strcat(local_4b8,"/2b/3e"); strcat(local_4b8,local_138); strcat(local_4b8,local_110); strcat(local_4b8,local_120); strcat(local_4b8,local_168); strcat(local_4b8,local_130); strcat(local_4b8,local_148); strcat(local_4b8,local_150); strcat(local_4b8,local_190); strcat(local_4b8,local_1d8); strcat(local_4b8,local_1a8); strcat(local_4b8,local_140); strcat(local_4b8,local_1b8); strcat(local_4b8,local_1d0); strcat(local_4b8,local_1e0); strcat(local_4b8,local_200); strcat(local_4b8,local_170); strcat(local_4b8,local_160); strcat(local_4b8,local_1e8); strcat(local_4b8,local_1f0); strcat(local_4b8,local_1f8); strcat(local_4b8,local_208); strcat(local_4b8,local_1b0); strcat(local_4b8,local_128); strcat(local_4b8,local_198); strcat(local_4b8,local_210); strcat(local_4b8,local_228); strcat(local_4b8,local_178); strcat(local_4b8,local_118); strcat(local_4b8,local_218); strcat(local_4b8,local_220); strcat(local_4b8,local_158); strcat(local_4b8,local_230); strcat(local_4b8,local_180); strcat(local_4b8,local_1c0); strcat(local_4b8,local_238); strcat(local_4b8,local_188); strcat(local_4b8,local_1c8); local_240 = "https://www.totallynothackers.org"; strcpy(local_5c8,"https://www.totallynothackers.org"); strcat(local_5c8,local_4b8); iVar2 = InternetCheckConnectionA(local_240,1,0); if (iVar2 == 0) { ShellExecuteA((HWND)0x0,"open","https://www.youtube.com/watch?v=WPUJG2jTw9s",(LPCSTR)0x0, (LPCSTR)0x0,1); } else { HttpSendRequestA(local_5c8,0,0xffffffff,0,(ulonglong)lpData & 0xffffffff00000000); } return (int)(iVar2 == 0); }
変数に以下が設定されているので、結合するとフラグになる。
local_10 = "01 - flag{Jack"; local_18 = "_Torrance_thought:"; local_20 = "_Officious_little_prick}";
flag{Jack_Torrance_thought:_Officious_little_prick}
Mal-Where is My Mind 02 (Mal-Where is My Mind 100)
「Mal-Where is My Mind 01」でデコンパイルしたコードの中に以下の内容がある。
: local_80 = "lfaGV"; local_88 = "50X3Rv"; local_90 = "BmbGFn"; local_98 = "="; local_a0 = "9u4oCZ"; local_a8 = "dF93YW"; local_b0 = "e0lfZG"; local_b8 = "X3N0YX"; local_c0 = "yZX0"; local_c8 = "MDIgLS"; : strcat(local_278,local_c8); strcat(local_278,local_90); strcat(local_278,local_b0); strcat(local_278,local_a0); strcat(local_278,local_a8); strcat(local_278,local_88); strcat(local_278,local_b8); strcat(local_278,local_80); strcat(local_278,local_c0); strcat(local_278,local_98); :
順に文字列を結合し、base64デコードする。
$ echo MDIgLSBmbGFne0lfZG9u4oCZdF93YW50X3RvX3N0YXlfaGVyZX0= | base64 -d 02 - flag{I_don’t_want_to_stay_here}
flag{I_don’t_want_to_stay_here}
Mal-Where is My Mind 03 (Mal-Where is My Mind 200)
「Mal-Where is My Mind 01」でデコンパイルしたコードの中に以下の内容がある。
: memcpy(local_3a8, "48 51 32 45 32 102 108 97 103 123 73 95 100 111 95 110 111 116 95 112 114 111 112 111 115 101 95 116 111 95 97 100 100 95 97 110 121 116 104 105 110 103 95 116 111 95 119 104 97 116 95 104 97 115 95 97 108 114 101 97 100 121 95 98 101 101 110 95 119 114 105 116 116 101 11 0 125" ,0x116); :
最後の部分の "101 11 0 125" を "101 110 125" に修正して、ASCIIコードとしてデコードする。
>>> s = '48 51 32 45 32 102 108 97 103 123 73 95 100 111 95 110 111 116 95 112 114 111 112 111 115 101 95 116 111 95 97 100 100 95 97 110 121 116 104 105 110 103 95 116 111 95 119 104 97 116 95 104 97 115 95 97 108 114 101 97 100 121 95 98 101 101 110 95 119 114 105 116 116 101 110 125'
>>> s = s.replace(' ', ' ')
>>> s = s.split(' ')
>>> ''.join([chr(int(c)) for c in s])
'03 - flag{I_do_not_propose_to_add_anything_to_what_has_already_been_written}'
flag{I_do_not_propose_to_add_anything_to_what_has_already_been_written}
Something in the Dark (Steganography 30)
StegSolveで開き、Red plane 0を見ると、フラグが現れた。
flag{ar3_we_410N3??}
Price Check (Steganography 100)
そのまま白黒にすると、QRコードに近い形になるが、ファインダの場所が違うので、上下反転する。
#!/usr/bin/env python3 with open('STEG05.csv', 'r') as f: lines = f.read().splitlines() for line in lines[::-1]: colors = line.split(',') for color in colors: if color == '0': print('_', end='') else: print('X', end='') print()
実行結果は以下の通り。
XXXXXXX_X___XXX_XX_X__XXXXXXX X_____X__XX_XXXX_X_X__X_____X X_XXX_X___X_X_X__XX_X_X_XXX_X X_XXX_X_X_XXX_____X___X_XXX_X X_XXX_X_X_X_______X___X_XXX_X X_____X_XX_XX___X__XX_X_____X XXXXXXX_X_X_X_X_X_X_X_XXXXXXX ________X____X_XXX_XX________ X___X_XXXXX__X___X_X_XXXXX__X X_XX___XX__X_XX_XXX___XXX_X_X X___X_X_XXXXX___X_X_X____XX__ X_X_XX_X_XXX__X__XX__XXXXX___ __XXX_X_X_XXXXXXXX__XX______X X__XXX_X___XX____XX___XXXX__X X__XX_XX_XX__XXX_XX_____XXX__ XX_XXX_____X_X_XXX_XXXX__X_XX X__X__XXX__X_X___X_XXX_X___X_ XXXX_X___XXXXXX_XXX__X_XX_X_X X__X_XX__XX_X___XXX_X___X____ __X_XX______X_X__X_XX___XX_X_ _X_XXXX___XX_XXX_X__XXXXXX_XX X_______XX__X_____X_X___XX___ XXXXXXX_X_X__XXX_X__X_X_X___X ______X__XXX_X_X_XXXX___XX__X X_XXX_X_XXXX_X_XXX_XXXXXXX_XX __XXX_X__X_X__XXX___XX_XXXXXX X_XXX_X___X____X___X_X___X_XX X_____X___XX__X_XX__XXXX_X_XX _XXXXXX_XXXX_X__XX__X_XXX__XX
QRコードとしておかしい部分があるので、下から8行のみ1番左と1番右を逆にする。
XXXXXXX_X___XXX_XX_X__XXXXXXX X_____X__XX_XXXX_X_X__X_____X X_XXX_X___X_X_X__XX_X_X_XXX_X X_XXX_X_X_XXX_____X___X_XXX_X X_XXX_X_X_X_______X___X_XXX_X X_____X_XX_XX___X__XX_X_____X XXXXXXX_X_X_X_X_X_X_X_XXXXXXX ________X____X_XXX_XX________ X___X_XXXXX__X___X_X_XXXXX__X X_XX___XX__X_XX_XXX___XXX_X_X X___X_X_XXXXX___X_X_X____XX__ X_X_XX_X_XXX__X__XX__XXXXX___ __XXX_X_X_XXXXXXXX__XX______X X__XXX_X___XX____XX___XXXX__X X__XX_XX_XX__XXX_XX_____XXX__ XX_XXX_____X_X_XXX_XXXX__X_XX X__X__XXX__X_X___X_XXX_X___X_ XXXX_X___XXXXXX_XXX__X_XX_X_X X__X_XX__XX_X___XXX_X___X____ __X_XX______X_X__X_XX___XX_X_ _X_XXXX___XX_XXX_X__XXXXXX_XX ________XX__X_____X_X___XX__X XXXXXXX_X_X__XXX_X__X_X_X___X X_____X__XXX_X_X_XXXX___XX___ X_XXX_X_XXXX_X_XXX_XXXXXXX_XX X_XXX_X__X_X__XXX___XX_XXXXX_ X_XXX_X___X____X___X_X___X_XX X_____X___XX__X_XX__XXXX_X_XX XXXXXXX_XXXX_X__XX__X_XXX__X_
これをqr.txtとして保存して、読み取る。
$ python2 sqrd.py qr.txt flag{that_will_be_five_dollars}
flag{that_will_be_five_dollars}
Logical Left and Rational Right (Cryptography 10)
"\"と"/"で8桁ずつ書かれている。"\"を"0"、"/"を"1"にしてデコードする。
#!/usr/bin/env python3 with open('logicalleftrationalright.txt', 'r') as f: enc = f.read() enc = enc.replace('\\', '0').replace('/', '1') enc = enc.split(' ') msg = '' for c in enc: msg += chr(int(c, 2)) print(msg)
デコードした結果は以下の通り。
Just a little something to get started, hope you have fun this year Turbo Tacky!!!! flag{H3YY0UrF1N411Y4W4K3}
flag{H3YY0UrF1N411Y4W4K3}
Ides-le Talk (Cryptography 15)
シーザー暗号と推測し、https://www.geocachingtoolbox.com/index.php?lang=en&page=caesarCipherで復号する。ROT13で以下のように復号でき、フラグが含まれていた。
The Life and Death of Julius Caesar
Shakespeare homepage | Julius Caesar | Entire play
ACT I
SCENE I. Rome. A street.
Enter FLAVIUS, MARULLUS, and certain Commoners
FLAVIUS
Hence! home, you idle creatures get you home:
Is this a holiday? what! know you not,
Being mechanical, you ought not walk
Upon a labouring day without the sign
Of your profession? Speak, what trade art thou?
First Commoner
Why, sir, a carpenter.
:
:
OCTAVIUS
Let us do so: for we are at the stake,
And bay'd about with many enemies;
And some that smile have in their hearts, I fear,
Millions of mischiefs.
Exeunt
flag: L3t_The#Mi$chiefs^8361n
SCENE II. Camp near Sardis. Before BRUTUS's tent.
Drum. Enter BRUTUS, LUCILIUS, LUCIUS, and Soldiers; TITINIUS and PINDARUS meeting them
BRUTUS
Stand, ho!
LUCILIUS
:
flag{L3t_The#Mi$chiefs^8361n}
Social Pressure (Cryptography 30)
会話の中身をquipqiupで復号する。
luciafer 1:19 PM Hey lilith, big news! We're going after De Monne Financial next. Their security measures have some holes that we're gonna exploit big time! I've been poking around and found some SQL vulnerabilities we can leverage for maximum chaos. Remember that IT guy I mentioned before? Turns out, he’s a real chatty Cathy on social media. Think we can use some good ol' social engineering to our advantage. We’ll get him spewing passwords like a leaky faucet. Plus, with your OSINT skills and my SQL magic, they won’t see what hit 'em. lilith 1:20 PM I've already started some OSINT recon and guess what? Found some juicy deets about their IT team on LinkedIn. People overshare so much, it's practically a goldmine. Social engineering that chatty dude should be a breeze; I'll craft a legend that'll have him spilling everything. luciafer 1:21 PM Yaaas, this is gonna be legendary! Loving the enthusiasm. And Elroy Ongaro? That guy's practically rolling out the red carpet for us with how much he shares online. Can't believe how easy some of these targets make it. lilith 1:22 PM Absolutely! Elroy Ongaro has no idea what's coming his way. I've already got a few angles in mind to get him talking. Social engineering these types is always a thrill. I'll start drafting some personas and scripts. Once he's under our influence, we can orchestrate the SQL exploit seamlessly. Your expertise in that area is going to be crucial.
ターゲットは Elroy Ongaro であることがわかる。
flag{Elroy_Ongaro}
