picoCTF Practice Writeup 4
picoGym Practice Challenges page=4 の8問を勉強した記録
だんだん難しくなってきた。
このページの難問は,
400 solves の Mini RSA (eの値が小さいときRSAを破れる)
623 solves の Dachshund Attacks (eの値が大きすぎるときRSAを破れる)
354 solves の ARMssembly 2 (わかりやすく解説したつもり)
やる気がわかないの
562 solves の Trivial Flag Transfer Protocol (ステガノ)
全然太刀打ちできなもの
87 solves の More Cookies
338 solves の No Padding, No Problem
189 solves の Here's a LIBC
Mini RSA
Category: Cryptography
Description:
What happens if you have a small exponent? There is a twist though, we padded the plaintext so that (M ** e) is just barely larger than N. Let's decrypt this: ciphertext
Hints
- RSA tutorial
- How could having too small of an e affect the security of this key?
- Make sure you don't lose precision, the numbers are pretty big (besides the e value)
- You shouldn't have to make too many guesses
- pico is in the flag, but not at the beginning
ciphertext
N: 1615765684321463054078226051959887884233678317734892901740763321135213636796075462401950274602405095138589898087428337758445013281488966866073355710771864671726991918706558071231266976427184673800225254531695928541272546385146495736420261815693810544589811104967829354461491178200126099661909654163542661541699404839644035177445092988952614918424317082380174383819025585076206641993479326576180793544321194357018916215113009742654408597083724508169216182008449693917227497813165444372201517541788989925461711067825681947947471001390843774746442699739386923285801022685451221261010798837646928092277556198145662924691803032880040492762442561497760689933601781401617086600593482127465655390841361154025890679757514060456103104199255917164678161972735858939464790960448345988941481499050248673128656508055285037090026439683847266536283160142071643015434813473463469733112182328678706702116054036618277506997666534567846763938692335069955755244438415377933440029498378955355877502743215305768814857864433151287
e: 3
ciphertext (c): 1220012318588871886132524757898884422174534558055593713309088304910273991073554732659977133980685370899257850121970812405700793710546674062154237544840177616746805668666317481140872605653768484867292138139949076102907399831998827567645230986345455915692863094364797526497302082734955903755050638155202890599808154521995312832362835648711819155169679435239286935784452613518014043549023137530689967601174246864606495200453313556091158637122956278811935858649498244722557014003601909465057421728834883411992999408157828996722087360414577252630186866387785481057649036414986099181831292644783916873710123009473008639825720434282893177856511819939659625989092206115515005188455003918918879483234969164887705505900695379846159901322053253156096586139847768297521166448931631916220211254417971683366167719596219422776768895460908015773369743067718890024592505393221967098308653507944367482969331133726958321767736855857529350486000867434567743580745186277999637935034821461543527421831665171525793988229518569050
Solution:
他力本願。参考になったwriteup
しかし,gmpy2がインストールできない。
gmpy2なしでできないか?
gmpyでn乗根解いてる。
WSLのubuntuにgmpyをインストールできた。
合体してみる
# !/usr/bin/env python3
from Crypto.Util.number import *
import gmpy
n = 1615765684321463054078226051959887884233678317734892901740763321135213636796075462401950274602405095138589898087428337758445013281488966866073355710771864671726991918706558071231266976427184673800225254531695928541272546385146495736420261815693810544589811104967829354461491178200126099661909654163542661541699404839644035177445092988952614918424317082380174383819025585076206641993479326576180793544321194357018916215113009742654408597083724508169216182008449693917227497813165444372201517541788989925461711067825681947947471001390843774746442699739386923285801022685451221261010798837646928092277556198145662924691803032880040492762442561497760689933601781401617086600593482127465655390841361154025890679757514060456103104199255917164678161972735858939464790960448345988941481499050248673128656508055285037090026439683847266536283160142071643015434813473463469733112182328678706702116054036618277506997666534567846763938692335069955755244438415377933440029498378955355877502743215305768814857864433151287
e = 3
c = 1220012318588871886132524757898884422174534558055593713309088304910273991073554732659977133980685370899257850121970812405700793710546674062154237544840177616746805668666317481140872605653768484867292138139949076102907399831998827567645230986345455915692863094364797526497302082734955903755050638155202890599808154521995312832362835648711819155169679435239286935784452613518014043549023137530689967601174246864606495200453313556091158637122956278811935858649498244722557014003601909465057421728834883411992999408157828996722087360414577252630186866387785481057649036414986099181831292644783916873710123009473008639825720434282893177856511819939659625989092206115515005188455003918918879483234969164887705505900695379846159901322053253156096586139847768297521166448931631916220211254417971683366167719596219422776768895460908015773369743067718890024592505393221967098308653507944367482969331133726958321767736855857529350486000867434567743580745186277999637935034821461543527421831665171525793988229518569050
i = 1
while True:
m, ok = gmpy.root(c + i * n, e)
if ok:
break
i += 1
print(long_to_bytes(m))
実行結果
$ python rsa_picoCTF2021_e_small3.py
picoCTF{e_sh0u1d_b3_lArg3r_a166c1e3}
できた。合体成功。
Dachshund Attacks
Category: Cryptography
Description:
What if d is too small? Connect with nc mercury.picoctf.net 31133.
Hints:
What do you think about my pet? dachshund.jpg
$ nc mercury.picoctf.net 31133
Welcome to my RSA challenge!
e: 19389253070440479736316097158431751673568090703428814927414571770634812255869963215314781964507430663561416750527967758440913320999500010672120545043706094118568144346874368216898619149682234634704763331552671622458519035403739489125379129391678393772012588006796945012020768883994230295305733924177402133871
n: 83185175808698718888834828096609955232100781373746559712666730801740104281237662439864416721153849786352269935143895102755301656033539783379857707763388143627544741389190133234323832608444986154146569021046012581210234465861906643302877460717465441201498150419176578121716891089774409591160069497876398471081
c: 40605834110661890208425250783347595037236013856196965345464640286265269783197167459112387908050537556130954728763114346958648500171267792316060025955441414045597471613185125066693214792124472365424667347974727299004077868354220994599716304244376128324182082015904657169872296830216785788338030673920187934847
Solution:
他力本願。参考になったwriteup
理屈
理屈は,さっぱりわからん。
が,この脆弱性は,e が大きすぎると e と n つまり,公開鍵から秘密鍵が計算できるというやつ。
Trivial Flag Transfer Protocol
Category: Forensics
これがフォレンジックだと?おれはこんな問題をフォレンジックとは認めない。
ARMssembly 2
Category: Reverse Engineering
Description:
What integer does this program print with argument 4189673334? File: chall_2.S Flag format: picoCTF{XXXXXXXX} -> (hex, lowercase, no 0x, and 32 bits. ex. 5614267 would be picoCTF{0055aabb})
Hints:
- Loops
chall_2.S
.arch armv8-a
.file "chall_2.c"
.text
.align 2
.global func1
.type func1, %function
func1:
sub sp, sp, #32
str w0, [sp, 12]
str wzr, [sp, 24]
str wzr, [sp, 28]
b .L2
.L3:
ldr w0, [sp, 24]
add w0, w0, 3
str w0, [sp, 24]
ldr w0, [sp, 28]
add w0, w0, 1
str w0, [sp, 28]
.L2:
ldr w1, [sp, 28]
ldr w0, [sp, 12]
cmp w1, w0
bcc .L3
ldr w0, [sp, 24]
add sp, sp, 32
ret
.size func1, .-func1
.section .rodata
.align 3
.LC0:
.string "Result: %ld\n"
.text
.align 2
.global main
.type main, %function
main:
stp x29, x30, [sp, -48]!
add x29, sp, 0
str w0, [x29, 28]
str x1, [x29, 16]
ldr x0, [x29, 16]
add x0, x0, 8
ldr x0, [x0]
bl atoi
bl func1
str w0, [x29, 44]
adrp x0, .LC0
add x0, x0, :lo12:.LC0
ldr w1, [x29, 44]
bl printf
nop
ldp x29, x30, [sp], 48
ret
.size main, .-main
.ident "GCC: (Ubuntu/Linaro 7.5.0-3ubuntu1~18.04) 7.5.0"
.section .note.GNU-stack,"",@progbits
Solution:
重要な部分だけ解説する
function呼び出し部
atoi
bl atoi # 引数文字列 4189673334 を integerに変換
bl func1 # func1をcall
ゼロレジスタ wzr
cmp ( subs )
bcc
function ループの1週目だけ追ってみると
func1:
sub sp, sp, #32 # スタックの調整なので気にしない
str w0, [sp, 12] # 引数 4189673334 を sp+12 へ保存
str wzr, [sp, 24] # wzrつまり 0 を sp+24に
str wzr, [sp, 28] # wzrつまり 0 を sp+28に
b .L2 # .L2にジャンプ
.L3:
ldr w0, [sp, 24] # w0 <- 0
add w0, w0, 3 # w0 += 3
str w0, [sp, 24] # 3 -> sp+24
ldr w0, [sp, 28] # w0 <- 0
add w0, w0, 1 # w0 += 1
str w0, [sp, 28] # 1 -> sp+28
.L2:
ldr w1, [sp, 28] # w1 <- 0
ldr w0, [sp, 12] # w0 <- 4189673334
cmp w1, w0 # subs と同じ w1 < w0 なら キャリーフラグ=0
bcc .L3 # キャリーフラグ=0 なら.L3にジャンプ
ldr w0, [sp, 24]
add sp, sp, 32
ret
スタック sp+28 は ループのカウンタで,4189673334回ループする
スタック sp+24 は 計算結果を格納 sp+24 += 3 を4189673334回行う
pythonで書くとこんな感じ(遅そうなので時間も測定)
import time
import struct
start = time.time()
input = 4189673334
i = 0
ans = 0
while i < input:
i += 1
ans += 3
print(struct.pack('>L', ans & 0xffffffff).hex())
elapsed_time = time.time() - start
print ("elapsed_time:{0}".format(elapsed_time) + "[sec]")
4189673334*3 は一瞬だが。。。
4189673334
Σ 3 = 3+3+3+3+3+3+3+3+3+3+3+3+3+3+3+...
i=1
結果
>python test.py
ed2c0662
elapsed_time:2830.6259717941284[sec]
struct.pack のわかりやすい解説
where are the robots
Category: Web Exploitation
Description:
Can you find the robots? https://jupiter.challenges.picoctf.org/problem/56830/ (link) or http://jupiter.challenges.picoctf.org:56830
Hints:
- What part of the website could tell you where the creator doesn't want you to look?
Solution:
配点が変わってこんな簡単なのが4ページ目にある。
vault-door-1
Category: Reverse Engineering
Description:
This vault uses some complicated arrays! I hope you can make sense of it, special agent. The source code for this vault is here: VaultDoor1.java
Hints:
- Look up the charAt() method online.
VaultDoor1.java
import java.util.*;
class VaultDoor1 {
public static void main(String args[]) {
VaultDoor1 vaultDoor = new VaultDoor1();
Scanner scanner = new Scanner(System.in);
System.out.print("Enter vault password: ");
String userInput = scanner.next();
String input = userInput.substring("picoCTF{".length(),userInput.length()-1);
if (vaultDoor.checkPassword(input)) {
System.out.println("Access granted.");
} else {
System.out.println("Access denied!");
}
}
// I came up with a more secure way to check the password without putting
// the password itself in the source code. I think this is going to be
// UNHACKABLE!! I hope Dr. Evil agrees...
//
// -Minion #8728
public boolean checkPassword(String password) {
return password.length() == 32 &&
password.charAt(0) == 'd' &&
password.charAt(29) == 'a' &&
password.charAt(4) == 'r' &&
password.charAt(2) == '5' &&
password.charAt(23) == 'r' &&
password.charAt(3) == 'c' &&
password.charAt(17) == '4' &&
password.charAt(1) == '3' &&
password.charAt(7) == 'b' &&
password.charAt(10) == '_' &&
password.charAt(5) == '4' &&
password.charAt(9) == '3' &&
password.charAt(11) == 't' &&
password.charAt(15) == 'c' &&
password.charAt(8) == 'l' &&
password.charAt(12) == 'H' &&
password.charAt(20) == 'c' &&
password.charAt(14) == '_' &&
password.charAt(6) == 'm' &&
password.charAt(24) == '5' &&
password.charAt(18) == 'r' &&
password.charAt(13) == '3' &&
password.charAt(19) == '4' &&
password.charAt(21) == 'T' &&
password.charAt(16) == 'H' &&
password.charAt(27) == '6' &&
password.charAt(30) == 'f' &&
password.charAt(25) == '_' &&
password.charAt(22) == '3' &&
password.charAt(28) == 'd' &&
password.charAt(26) == 'f' &&
password.charAt(31) == '4';
}
}
Solution:
並び変えればok
what's a net cat?
Category: General Skills
Description:
Using netcat (nc) is going to be pretty important. Can you connect to jupiter.challenges.picoctf.org at port 41120 to get the flag?
Hints:
nc tutorial
Solution:
$ nc jupiter.challenges.picoctf.org 41120
You're on your way to becoming the net cat master
picoCTF{nEtCat_Mast3ry_3214be47}
strings it
Category: General Skills
Description:
Can you find the flag in file without running it?
Hints:
strings
Solution:
ダウンロードしたファイルはELF
表層解析
Easy1
Category: Cryptography
Description:
The one time pad can be cryptographically secure, but not when you know the key. Can you solve this? We've given you the encrypted flag, key, and a table to help UFJKXQZQUNB with the key of SOLVECRYPTO. Can you use this table to solve it?.
Hints:
- Submit your answer in our flag format. For example, if your answer was 'hello', you would submit 'picoCTF{HELLO}' as the flag.
- Please use all caps for the message.
table
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
+----------------------------------------------------
A | A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
B | B C D E F G H I J K L M N O P Q R S T U V W X Y Z A
C | C D E F G H I J K L M N O P Q R S T U V W X Y Z A B
D | D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
E | E F G H I J K L M N O P Q R S T U V W X Y Z A B C D
F | F G H I J K L M N O P Q R S T U V W X Y Z A B C D E
G | G H I J K L M N O P Q R S T U V W X Y Z A B C D E F
H | H I J K L M N O P Q R S T U V W X Y Z A B C D E F G
I | I J K L M N O P Q R S T U V W X Y Z A B C D E F G H
J | J K L M N O P Q R S T U V W X Y Z A B C D E F G H I
K | K L M N O P Q R S T U V W X Y Z A B C D E F G H I J
L | L M N O P Q R S T U V W X Y Z A B C D E F G H I J K
M | M N O P Q R S T U V W X Y Z A B C D E F G H I J K L
N | N O P Q R S T U V W X Y Z A B C D E F G H I J K L M
O | O P Q R S T U V W X Y Z A B C D E F G H I J K L M N
P | P Q R S T U V W X Y Z A B C D E F G H I J K L M N O
Q | Q R S T U V W X Y Z A B C D E F G H I J K L M N O P
R | R S T U V W X Y Z A B C D E F G H I J K L M N O P Q
S | S T U V W X Y Z A B C D E F G H I J K L M N O P Q R
T | T U V W X Y Z A B C D E F G H I J K L M N O P Q R S
U | U V W X Y Z A B C D E F G H I J K L M N O P Q R S T
V | V W X Y Z A B C D E F G H I J K L M N O P Q R S T U
W | W X Y Z A B C D E F G H I J K L M N O P Q R S T U V
X | X Y Z A B C D E F G H I J K L M N O P Q R S T U V W
Y | Y Z A B C D E F G H I J K L M N O P Q R S T U V W X
Z | Z A B C D E F G H I J K L M N O P Q R S T U V W X Y
Solution:
暗号化は?
例えば,PICOCTF を BCDEFGH で暗号化する
1文字目は y軸 P と x軸 B の交点 Q となる
復号は暗号化の逆なので key(x軸)をまず選択し,その列の enc を見つけ,そのy軸が flagとなる
1文字目 key は S なので S 列の Uを探す
S列Uのy軸はCなのでflagの1文字目は,C
