1
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

picoCTF Writeup : Verify

Posted at

最初に

問題文

Description
People keep trying to trick my players with imitation flags. I want to make sure they get the real thing! I'm going to provide the SHA-256 hash and a decrypt script to help you know that my flags are legitimate.
Additional details will be available after launching your challenge instance.

Launch Instanceをしたら、以下の文章もでてきました

Remember, in a shell, passwords are hidden!
Checksum: fba9f49bf22aa7188a155768ab0dfdc1f9b86c47976cd0f7c9003af2e20598f7
To decrypt the file once you've verified the hash, run ./decrypt.sh files/.

Write up

まずは問題文にあるようにSSHでログイン

ctf-player@pico-chall$ whoami
ctf-player
ctf-player@pico-chall$ pwd
/home/ctf-player/drop-in
ctf-player@pico-chall$ ls -la
total 20
drwxr-xr-x 3 ctf-player ctf-player   57 Mar 12  2024 .
drwxr-xr-x 1 ctf-player ctf-player   20 Nov 26 13:11 ..
-rw-r--r-- 1 root       root         65 Mar 12  2024 checksum.txt
-rwxr-xr-x 1 root       root        856 Mar 12  2024 decrypt.sh
drwxr-xr-x 2 ctf-player ctf-player 8192 Mar 12  2024 files
ctf-player@pico-chall$ 

decrypt.shの中身もみておく
そんなに変なことはしていなさそう・・・

ctf-player@pico-chall$ cat decrypt.sh 

        #!/bin/bash

        # Check if the user provided a file name as an argument
        if [ $# -eq 0 ]; then
            echo "Expected usage: decrypt.sh <filename>"
            exit 1
        fi

        # Store the provided filename in a variable
        file_name="$1"

        # Check if the provided argument is a file and not a folder
        if [ ! -f "/home/ctf-player/drop-in/$file_name" ]; then
            echo "Error: '$file_name' is not a valid file. Look inside the 'files' folder with 'ls -R'!"
            exit 1
        fi

        # If there's an error reading the file, print an error message
        if ! openssl enc -d -aes-256-cbc -pbkdf2 -iter 100000 -salt -in "/home/ctf-player/drop-in/$file_name" -k picoCTF; then
            echo "Error: Failed to decrypt '$file_name'. This flag is fake! Keep looking!"
        fi

今回の問題でキモとなるchecksum.txtはSHA256のハッシュ値が記載されていました

fba9f49bf22aa7188a155768ab0dfdc1f9b86c47976cd0f7c9003af2e20598f7

問題文にもあったが、念のため確認

┌──(root㉿kali)-[~]
└─# hash-identifier                                       
/usr/share/hash-identifier/hash-id.py:13: SyntaxWarning: invalid escape sequence '\ '
--------------------------------------------------
 HASH: fba9f49bf22aa7188a155768ab0dfdc1f9b86c47976cd0f7c9003af2e20598f7

Possible Hashs:
[+] SHA-256
[+] Haval-256

Least Possible Hashs:
[+] GOST R 34.11-94
[+] RipeMD-256
[+] SNEFRU-256
[+] SHA-256(HMAC)
[+] Haval-256(HMAC)
[+] RipeMD-256(HMAC)
[+] SNEFRU-256(HMAC)
[+] SHA-256(md5($pass))
[+] SHA-256(sha1($pass))
--------------------------------------------------

いろいろ試してみましたが、sha256sumは動作するみたい

ctf-player@pico-chall$ sha256sum checksum.txt 
da498696036e38f06e75a154878b42a28e14701405140a71f1f5a1e147e071d1  checksum.txt

files/にあるファイルを復号化して、それをHash化すればチェックサムと同じになると思った(あとから勘違いだと気が付く(-_-;))が、スクリプトを作ってFor文で回したかったが、エディタツールがことごとく無い。。。

ctf-player@pico-chall$ vi
-bash: vi: command not found
ctf-player@pico-chall$ vim
-bash: vim: command not found
ctf-player@pico-chall$ nano
-bash: nano: command not found
ctf-player@pico-chall$ gedit
-bash: gedit: command not found
ctf-player@pico-chall$ 

とりあえずHashcatしてみる(めちゃくちゃ勘違いしている)

┌──(root㉿kali)-[~]
└─#  hashcat -m 1400 'fba9f49bf22aa7188a155768ab0dfdc1f9b86c47976cd0f7c9003af2e20598f7' /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting

OpenCL API (OpenCL 3.0 PoCL 6.0+debian  Linux, None+Asserts, RELOC, LLVM 17.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
============================================================================================================================================
* Device #1: cpu-penryn-12th Gen Intel(R) Core(TM) i5-12450H, 3110/6285 MB (1024 MB allocatable), 6MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

結果は以下ですが、Recoveredが0/1になっているので、みつけられなかったみたい

Session..........: hashcat                                
Status...........: Exhausted
Hash.Mode........: 1400 (SHA2-256)
Hash.Target......: fba9f49bf22aa7188a155768ab0dfdc1f9b86c47976cd0f7c90...0598f7
Time.Started.....: Tue Nov 26 21:57:06 2024 (16 secs)
Time.Estimated...: Tue Nov 26 21:57:22 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:   562.2 kH/s (0.34ms) @ Accel:512 Loops:1 Thr:1 Vec:4
Recovered........: 0/1 (0.00%) Digests (total), 0/1 (0.00%) Digests (new)
Progress.........: 14344385/14344385 (100.00%)
Rejected.........: 0/14344385 (0.00%)
Restore.Point....: 14344385/14344385 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: $HEX[212173657879616e67656c2121] -> $HEX[042a0337c2a156616d6f732103]
Hardware.Mon.#1..: Util: 26%

Started: Tue Nov 26 21:57:05 2024
Stopped: Tue Nov 26 21:57:24 2024
                                   

ここで行き詰ってしまったので、ヒント2を見てみる

英語
You can create a SHA checksum of a file with sha256sum <file> or all files in a directory with sha256sum <directory>/*.
日本語
sha256sum <file> を使用してファイルの SHA チェックサムを作成するか、sha256sum <directory>/* を使用してディレクトリ内のすべてのファイルの SHA チェックサムを作成できます。

復号化したものをSHA256でハッシュ値を取るとチェックサムと一致すると思っていたけど、復号化する前でも一致するのか。。。?
(ここで勘違いに気が付く)

試しにやってみたところ、

ctf-player@pico-chall$ sha256sum files/* > sha256sum_output.txt
ctf-player@pico-chall$ grep 'fba9f49bf22aa7188a155768ab0dfdc1f9b86c47976cd0f7c9003af2e20598f7' sha256sum_output.txt 
fba9f49bf22aa7188a155768ab0dfdc1f9b86c47976cd0f7c9003af2e20598f7  files/87590c24
ctf-player@pico-chall$ ./decrypt.sh files/87590c24 
picoCTF{trust_but_verify_87590c24}

うまくいった!

最後に

今回学んだことは以下

  • 使えるコマンドを頑張って探すことは大切
  • 勘違いは恐ろしい(CTFに限らず)
1
0
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
1
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?