picoCTF Practice Writeup 3
picoGym Practice Challenges page=3 の11問を勉強した記録
このページの難問は,
626 solves の New Caesar (Cryptographyというよりpython力を問う問題)
362 solves の ARMssembly 1 (ARM Assembly)
特に
126 solves の Cache Me Outside はお手上げ。なので11問だけ掲載。
Warmed Up
Category: General Skills
Description:
What is 0x3D (base 16) in decimal (base 10)?
Hints:
- Submit your answer in our flag format. For example, if your answer was '22', you would submit 'picoCTF{22}' as the flag.
Solution:
計算するだけ
The Numbers
Category: Cryptography
Description:
The numbers... what do they mean?
Hints:
- The flag is in the format PICOCTF{}
Solution:
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
1 2 3 4 5 6 7 8 9 1011121314151617181920212223242526
PICOCTF{THENUMBERSMASON}
2Warm
Category: General Skills
Description:
Can you convert the number 42 (base 10) to binary (base 2)?
Hints:
Submit your answer in our competition's flag format. For example, if your answer was '11111', you would submit 'picoCTF{11111}' as the flag.
Solution:
計算するだけ
Wireshark doo dooo do doo...
Category: Forensics
Description:
Can you find the flag? shark1.pcapng.
Hints:
(None)
Solution:
プロトコル階層
Line-based text data が目立つ
ROT13ビンゴ
speeds and feeds
Category: Reverse Engineering
Description:
There is something on my shop network running at nc mercury.picoctf.net 59953, but I can't tell what it is. Can you?
Hints:
What language does a CNC machine use?
Solution:
工作機械の言語なんて初めて見ました。
CNCにはGコードだけでなくMコード,Sコード,Tコード,Fコードとかもあるみたいです。
Shop
Category: Reverse Engineering
Description:
Best Stuff - Cheap Stuff, Buy Buy Buy... Store Instance: source. The shop is open for business at nc mercury.picoctf.net 42159.
Hints:
- Always check edge cases when programming
$ nc mercury.picoctf.net 42159
Welcome to the market!
=====================
You have 40 coins
Item Price Count
(0) Quiet Quiches 10 12
(1) Average Apple 15 8
(2) Fruitful Flag 100 1
(3) Sell an Item
(4) Exit
Choose an option:
Solution:
Fruitful Flagは100円だが40円しか持っていない。
Quiet Quichesを-100個買うと,お金が1000円増える。
残高 = 残高 - ( 10 * -100 )
Fruitful Flagを買う
$ nc mercury.picoctf.net 42159
Welcome to the market!
=====================
You have 40 coins
Item Price Count
(0) Quiet Quiches 10 12
(1) Average Apple 15 8
(2) Fruitful Flag 100 1
(3) Sell an Item
(4) Exit
Choose an option:
0
How many do you want to buy?
-100
You have 1040 coins
Item Price Count
(0) Quiet Quiches 10 112
(1) Average Apple 15 8
(2) Fruitful Flag 100 1
(3) Sell an Item
(4) Exit
Choose an option:
2
How many do you want to buy?
1
Flag is: [112 105 99 111 67 84 70 123 98 52 100 95 98 114 111 103 114 97 109 109 101 114 95 55 57 55 98 50 57 50 99 125]
Scavenger Hunt
Category: Web Exploitation
Description:
There is some interesting information hidden around this site http://mercury.picoctf.net:39491/. Can you find it?
Hints:
You should have enough hints to find the files, don't run a brute forcer.
Solution:
ソース
CSS
js
ヒントだけ
How can I keep Google from indexing my website?
robots.txt
次のヒント
I think this is an apache server... can you Access the next flag?
apache独自といえば
次のヒント
I love making websites on my Mac, I can Store a lot of information there.
Macで編集した時に残るのは? 自動バックアップか
.DocumentRevisions-V100
だめ
.DS_Store
ビンゴ
MacroHard WeakEdge
Category: Forensics
Description:
I've hidden a flag in this file. Can you find it? Forensics is fun.pptm
Hints
(None)
Solution:
pptm = PowerPoint マクロ有効プレゼンテーション
常とう手段,拡張子をzipに変える
hiddenなる怪しいファイル発見
ビンゴ
New Caesar
良問です。
picoCTF 2021 New Caesar Writeup
ARMssembly 1
Category: Reverse Engineering
Description:
For what argument does this program print win with variables 79, 7 and 3? File: chall_1.S Flag format: picoCTF{XXXXXXXX} -> (hex, lowercase, no 0x, and 32 bits. ex. 5614267 would be picoCTF{0055aabb})
Hints:
Shifts
.arch armv8-a
.file "chall_1.c"
.text
.align 2
.global func
.type func, %function
func:
sub sp, sp, #32
str w0, [sp, 12]
mov w0, 79
str w0, [sp, 16]
mov w0, 7
str w0, [sp, 20]
mov w0, 3
str w0, [sp, 24]
ldr w0, [sp, 20]
ldr w1, [sp, 16]
lsl w0, w1, w0
str w0, [sp, 28]
ldr w1, [sp, 28]
ldr w0, [sp, 24]
sdiv w0, w1, w0
str w0, [sp, 28]
ldr w1, [sp, 28]
ldr w0, [sp, 12]
sub w0, w1, w0
str w0, [sp, 28]
ldr w0, [sp, 28]
add sp, sp, 32
ret
.size func, .-func
.section .rodata
.align 3
.LC0:
.string "You win!"
.align 3
.LC1:
.string "You Lose :("
.text
.align 2
.global main
.type main, %function
main:
stp x29, x30, [sp, -48]!
add x29, sp, 0
str w0, [x29, 28]
str x1, [x29, 16]
ldr x0, [x29, 16]
add x0, x0, 8
ldr x0, [x0]
bl atoi
str w0, [x29, 44]
ldr w0, [x29, 44]
bl func
cmp w0, 0
bne .L4
adrp x0, .LC0
add x0, x0, :lo12:.LC0
bl puts
b .L6
.L4:
adrp x0, .LC1
add x0, x0, :lo12:.LC1
bl puts
.L6:
nop
ldp x29, x30, [sp], 48
ret
.size main, .-main
.ident "GCC: (Ubuntu/Linaro 7.5.0-3ubuntu1~18.04) 7.5.0"
.section .note.GNU-stack,"",@progbits
Solution:
まず,問題から
第1引数 79
第2引数 7
第3引数 3
の情報が与えられている。
lsl と sdiv が目にとまる
重要な部分だけ解説すると
mov w0, 79
str w0, [sp, 16] # sp+16に 79 が保存される
mov w0, 7
str w0, [sp, 20] # sp+20に 7 が保存される
mov w0, 3
str w0, [sp, 24] # sp+24に 3 が保存される
ldr w0, [sp, 20]
ldr w1, [sp, 16]
lsl w0, w1, w0 # wo(10112) = w1(79) << w0(7)
str w0, [sp, 28] # sp+28に 10112 が保存される
ldr w1, [sp, 28]
ldr w0, [sp, 24]
sdiv w0, w1, w0 # w0 = w1(10112) / w0(3)
( 79 << 7 ) / 3 = 3370 = 0xd2a
picoCTF{00000d2a}
Some Assembly Required 1
Category: Web Exploitation
Description:
http://mercury.picoctf.net:26318/index.html
Hints:
(None)
Solution:
ページのソース
<html>
<head>
<meta charset="UTF-8">
<script src="G82XCw5CX3.js"></script>
</head>
<body>
<h4>Enter flag:</h4>
<input type="text" id="input"/>
<button onclick="onButtonPress()">Submit</button>
<p id="result"></p>
</body>
</html>
javascryptを見てみる
const _0x402c = ['value', '2wfTpTR', 'instantiate', '275341bEPcme', 'innerHTML', '1195047NznhZg', '1qfevql', 'input', '1699808QuoWhA', 'Correct!', 'check_flag', 'Incorrect!', './JIFxzHyW8W', '23SMpAuA', '802698XOMSrr', 'charCodeAt', '474547vVoGDO', 'getElementById', 'instance', 'copy_char', '43591XxcWUl', '504454llVtzW', 'arrayBuffer', '2NIQmVj', 'result'];
const _0x4e0e = function (_0x553839, _0x53c021) {
_0x553839 = _0x553839 - 0x1d6;
let _0x402c6f = _0x402c[_0x553839];
return _0x402c6f;
};
(function (_0x76dd13, _0x3dfcae) {
const _0x371ac6 = _0x4e0e;
while (!![]) {
try {
const _0x478583 = -parseInt(_0x371ac6(0x1eb)) + parseInt(_0x371ac6(0x1ed)) + -parseInt(_0x371ac6(0x1db)) * -parseInt(_0x371ac6(0x1d9)) + -parseInt(_0x371ac6(0x1e2)) * -parseInt(_0x371ac6(0x1e3)) + -parseInt(_0x371ac6(0x1de)) * parseInt(_0x371ac6(0x1e0)) + parseInt(_0x371ac6(0x1d8)) * parseInt(_0x371ac6(0x1ea)) + -parseInt(_0x371ac6(0x1e5));
if (_0x478583 === _0x3dfcae) break;
else _0x76dd13['push'](_0x76dd13['shift']());
} catch (_0x41d31a) {
_0x76dd13['push'](_0x76dd13['shift']());
}
}
}(_0x402c, 0x994c3));
let exports;
(async() => {
const _0x48c3be = _0x4e0e;
let _0x5f0229 = await fetch(_0x48c3be(0x1e9)),
_0x1d99e9 = await WebAssembly[_0x48c3be(0x1df)](await _0x5f0229[_0x48c3be(0x1da)]()),
_0x1f8628 = _0x1d99e9[_0x48c3be(0x1d6)];
exports = _0x1f8628['exports'];
})();
function onButtonPress() {
const _0xa80748 = _0x4e0e;
let _0x3761f8 = document['getElementById'](_0xa80748(0x1e4))[_0xa80748(0x1dd)];
for (let _0x16c626 = 0x0; _0x16c626 < _0x3761f8['length']; _0x16c626++) {
exports[_0xa80748(0x1d7)](_0x3761f8[_0xa80748(0x1ec)](_0x16c626), _0x16c626);
}
exports['copy_char'](0x0, _0x3761f8['length']), exports[_0xa80748(0x1e7)]() == 0x1 ? document[_0xa80748(0x1ee)](_0xa80748(0x1dc))[_0xa80748(0x1e1)] = _0xa80748(0x1e6) : document[_0xa80748(0x1ee)](_0xa80748(0x1dc))[_0xa80748(0x1e1)] = _0xa80748(0x1e8);
}
WebAssemblyって何だ?
「wasm ファイルを取得、ロード、実行するため先述した WebAssembly JavaScript API を呼び出すロジックも含んでいます。」とか書かれています。
デベロッパーツールで見ていると
wasmを見つけることができます。
よくわからないけどフラグ見えた。(ESP?)