picoCTF Practice Writeup 5
picoGym Practice Challenges page=5 の11問を勉強した記録
だんだん難しくなってきた。
このページの難問は,
659 solves の Pixelated (スエガノグラフィー)
835 solves の It is my Birthday (OSINT)
468 solves の Wireshark twoo twooo two twoo... (パケット解析)
259 solves の Hurry up! Wait!
159 solves の Unsubscriptions Are Free はお手上げ
logon
Category: Web Exploitation
Description:
The factory is hiding things from all of its users. Can you login as Joe and find what they've been looking at? https://jupiter.challenges.picoctf.org/problem/44573/ (link) or http://jupiter.challenges.picoctf.org:44573
Hints:
Hmm it doesn't seem to check anyone's password, except for Joe's?
Solution:
何も入力せず Sign in ボタンをクリックすると
ログイン成功だって。
Burpでcookieみてみる
admin=FalseがあやしいのでTrueに変えて送信してみる
13
Category: Cryptography
Description:
Cryptography can be easy, do you know what ROT13 is? cvpbPGS{abg_gbb_onq_bs_n_ceboyrz}
Hints:
This can be solved online if you don't want to do it by hand!
Solution:
ROT13
caesar
Category: Cryptography
Description:
Decrypt this message.
Hints:
caesar cipher tutorial
picoCTF{gvswwmrkxlivyfmgsrhnrisegl}
答えcrossingtherubicondjneoachだけど,どこで区切れば意味があるフレーズになるか
まったくわからん。
dont-use-client-side
Category: Web Exploitation
Description:
Can you break into this super secure portal? https://jupiter.challenges.picoctf.org/problem/17682/ (link) or http://jupiter.challenges.picoctf.org:17682
Hints:
Never trust the client
Solution:
ページのソース
<html>
<head>
<title>Secure Login Portal</title>
</head>
<body bgcolor=blue>
<!-- standard MD5 implementation -->
<script type="text/javascript" src="md5.js"></script>
<script type="text/javascript">
function verify() {
checkpass = document.getElementById("pass").value;
split = 4;
if (checkpass.substring(0, split) == 'pico') {
if (checkpass.substring(split*6, split*7) == '706c') {
if (checkpass.substring(split, split*2) == 'CTF{') {
if (checkpass.substring(split*4, split*5) == 'ts_p') {
if (checkpass.substring(split*3, split*4) == 'lien') {
if (checkpass.substring(split*5, split*6) == 'lz_b') {
if (checkpass.substring(split*2, split*3) == 'no_c') {
if (checkpass.substring(split*7, split*8) == '5}') {
alert("Password Verified")
}
}
}
}
}
}
}
}
else {
alert("Incorrect password");
}
}
</script>
<div style="position:relative; padding:5px;top:50px; left:38%; width:350px; height:140px; background-color:yellow">
<div style="text-align:center">
<p>This is the secure login portal</p>
<p>Enter valid credentials to proceed</p>
<form action="index.html" method="post">
<input type="password" id="pass" size="8" />
<br/>
<input type="submit" value="verify" onclick="verify(); return false;" />
</form>
</div>
</div>
</body>
</html>
並び変えるだけ
Bases
Category: General Skills
Description:
What does this bDNhcm5fdGgzX3IwcDM1 mean? I think it has something to do with bases.
Hints:
Submit your answer in our flag format. For example, if your answer was 'hello', you would submit 'picoCTF{hello}' as the flag.
Solution:
base64
First Grep
Category: General Skills
Description:
Can you find the flag in file? This would be really tedious to look through manually, something tells me there is a better way.
Hints:
grep tutorial
Solution:
表層解析
Pixelated
Category: Cryptography
Description:
I have these 2 images, can you make a flag out of them? scrambled1.png scrambled2.png
Hints:
1. https://en.wikipedia.org/wiki/Visual_cryptography
2. Think of different ways you can "stack" images
scrambled1.png
scrambled2.png
Solution:
「青い空を見上げればいつもそこに白い猫」の使い方
It is my Birthday
Category: Web Exploitation
Description:
I sent out 2 invitations to all of my friends for my birthday! I'll know if they get stolen because the two invites look similar, and they even have the same md5 hash, but they are slightly different! You wouldn't believe how long it took me to find a collision. Anyway, see if you're invited by submitting 2 PDFs to my website. http://mercury.picoctf.net:50970/
Hints:
1. Look at the category of this problem.
2. How may a PHP site check the rules in the description?
Solution:
ネットでmd5ハッシュが衝突しているPDFを探す。
見つけたのでupしてみる。
File too large!
あり?サイズ制限がある。小さいサイズを探す。
Wireshark twoo twooo two twoo...
Wireshark twoo twooo two twoo...
Who are you?
Hurry up! Wait!
Category: Reverse Engineering
Description:
svchost.exe
Hints:
(None)
Splution:
Ghidraで静的解析する。
関数が次々呼ばれている。
void FUN_0010298a(void)
{
ada__calendar__delays__delay_for(1000000000000000);
FUN_00102616();
FUN_001024aa();
FUN_00102372();
FUN_001025e2();
FUN_00102852();
FUN_00102886();
FUN_001028ba();
FUN_00102922();
FUN_001023a6();
FUN_00102136();
FUN_00102206();
FUN_0010230a();
FUN_00102206();
FUN_0010257a();
FUN_001028ee();
FUN_0010240e();
FUN_001026e6();
FUN_00102782();
FUN_001028ee();
FUN_001023da();
FUN_0010230a();
FUN_0010233e();
FUN_0010226e();
FUN_001022a2();
FUN_001023da();
FUN_001021d2();
FUN_00102956();
return;
}
先頭のFUN_00102616()を見てみる
void FUN_00102616(void)
{
ada__text_io__put__4(&DAT_00102cd8,&DAT_00102cb8,&DAT_00102cb8,&DAT_00102cd8);
return;
}
ada_text_ioput_4を調べると,Ada(エイダ)というプログラミング言語みたいだ。
&DAT_00102cd8は?
pだ。
次々調べる。
void FUN_0010298a(void)
{
ada__calendar__delays__delay_for(1000000000000000);
FUN_00102616(); // p
FUN_001024aa(); // i
FUN_00102372(); // c
FUN_001025e2(); // o
FUN_00102852(); // C
FUN_00102886(); // T
FUN_001028ba(); // F
FUN_00102922(); // {
FUN_001023a6(); // d
FUN_00102136(); // 1
FUN_00102206(); // 5
FUN_0010230a(); // a
FUN_00102206(); // 5
FUN_0010257a(); // m
FUN_001028ee(); // _
FUN_0010240e(); // f
FUN_001026e6(); // t
FUN_00102782(); // w
FUN_001028ee(); // _
FUN_001023da(); // e
FUN_0010230a(); // a
FUN_0010233e(); // b
FUN_0010226e(); // 7
FUN_001022a2(); // 8
FUN_001023da(); // e
FUN_001021d2(); // 4
FUN_00102956(); // }
return;
}
Unsubscriptions Are Free
Category: Binary Exploitation
Description:
Check out my new video-game and spaghetti-eating streaming channel on Twixer! program and get a flag. source nc mercury.picoctf.net 4593
Hints:
1. http://homes.sice.indiana.edu/yh33/Teaching/I433-2016/lec13-HeapAttacks.pdf
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <fcntl.h>
#include <ctype.h>
#define FLAG_BUFFER 200
#define LINE_BUFFER_SIZE 20
typedef struct {
uintptr_t (*whatToDo)();
char *username;
} cmd;
char choice;
cmd *user;
void hahaexploitgobrrr(){
char buf[FLAG_BUFFER];
FILE *f = fopen("flag.txt","r");
fgets(buf,FLAG_BUFFER,f);
fprintf(stdout,"%s\n",buf);
fflush(stdout);
}
char * getsline(void) {
getchar();
char * line = malloc(100), * linep = line;
size_t lenmax = 100, len = lenmax;
int c;
if(line == NULL)
return NULL;
for(;;) {
c = fgetc(stdin);
if(c == EOF)
break;
if(--len == 0) {
len = lenmax;
char * linen = realloc(linep, lenmax *= 2);
if(linen == NULL) {
free(linep);
return NULL;
}
line = linen + (line - linep);
linep = linen;
}
if((*line++ = c) == '\n')
break;
}
*line = '\0';
return linep;
}
void doProcess(cmd* obj) {
(*obj->whatToDo)();
}
void s(){
printf("OOP! Memory leak...%p\n",hahaexploitgobrrr);
puts("Thanks for subsribing! I really recommend becoming a premium member!");
}
void p(){
puts("Membership pending... (There's also a super-subscription you can also get for twice the price!)");
}
void m(){
puts("Account created.");
}
void leaveMessage(){
puts("I only read premium member messages but you can ");
puts("try anyways:");
char* msg = (char*)malloc(8);
read(0, msg, 8);
}
void i(){
char response;
puts("You're leaving already(Y/N)?");
scanf(" %c", &response);
if(toupper(response)=='Y'){
puts("Bye!");
free(user);
}else{
puts("Ok. Get premium membership please!");
}
}
void printMenu(){
puts("Welcome to my stream! ^W^");
puts("==========================");
puts("(S)ubscribe to my channel");
puts("(I)nquire about account deletion");
puts("(M)ake an Twixer account");
puts("(P)ay for premium membership");
puts("(l)eave a message(with or without logging in)");
puts("(e)xit");
}
void processInput(){
scanf(" %c", &choice);
choice = toupper(choice);
switch(choice){
case 'S':
if(user){
user->whatToDo = (void*)s;
}else{
puts("Not logged in!");
}
break;
case 'P':
user->whatToDo = (void*)p;
break;
case 'I':
user->whatToDo = (void*)i;
break;
case 'M':
user->whatToDo = (void*)m;
puts("===========================");
puts("Registration: Welcome to Twixer!");
puts("Enter your username: ");
user->username = getsline();
break;
case 'L':
leaveMessage();
break;
case 'E':
exit(0);
default:
puts("Invalid option!");
exit(1);
break;
}
}
int main(){
setbuf(stdout, NULL);
user = (cmd *)malloc(sizeof(user));
while(1){
printMenu();
processInput();
//if(user){
doProcess(user);
//}
}
return 0;
}
Solution:
Use After Freeの脆弱性が,leaveMessage() にあるように見えるが。。。
手動でやると
timeout:
とソースコードにないエラーメッセージが表示される。