LoginSignup
1
0

More than 1 year has passed since last update.

@mikecat_mixc

CyBRICS Capture The Flag 2021 writeup

Posted at

概要 / About

CyBRICS Capture The Flag 2021 (2021/07/24 19:00 ~ 2021/07/25 19:00 (JST)) (CTFtime.org) に1人チームで参加した。
474点を獲得し、正の点数を獲得した482チーム中82位だった。

I participated in CyBRICS Capture The Flag 2021 (July 24, 2021 19:00 - July 25, 2021 19:00 (JST: UTC+9)) (CTFtime.org) as an one-person team.
I earned 474 points and ranked 82nd among 482 teams that earned positive score.

解けた問題と解いた時刻は以下の通りである。

Here is a list of tasks I solved and times I solved them on.

Task Category Value Time (JST)
Scanner rebyC 50 2021/07/24 23:16
Listing Reverse 72 2021/07/25 00:06
Ad Network Web 50 2021/07/25 00:53
ASCII Terminal Network 116 2021/07/25 02:13
Mic Check Cyber 50 2021/07/25 03:37
Kernel Reverse Reverse 136 2021/07/25 14:26

Score over Time

解けた問題 / Tasks I solved

Mic Check (Cyber)

ルールのページへのリンクが張られており、そのルールのページにflagが書かれていた。
素直にflagを取らせない工夫をしていたが開始10分で解除した、というようなことが問題文に書かれていたが、詳細は不明。

A link to the page about rules was provided and the flag was in the rule page.
The task description said that there was a trick to prevent direct capturing of the flag and that the trick was disabled 10 minutes after the start of the competition, but I don't know about the details of this.

cybrics{Th1S_i5_T3h_R34l_m1C_ch3CK_f1A6}

Scanner (rebyC)

WebページのURLが与えられた。
このWebページは、狭い視界を絵が通っていくGIFアニメが表示され、それが何かを答えさせるものだった。

An URL of a Web page was given.
This Web page showed an animated GIF in which a picture passes in a narrow sight, and asked what the picture is.

まず、以下のプログラムでGIFアニメの各フレームを抽出し、観察した。

Firstly, I extracted each frames of the animated GIF via this program and observed.

get_frames.py
get_frames.py
import cv2
import sys

if len(sys.argv) < 3:
    sys.stderr.writeline("Usage: get_frames.py input_file output_dir")
    sys.exit(1)

video = cv2.VideoCapture(sys.argv[1])
if not video.isOpened():
    sys.stderr.writeline("failed to open input")

count = 1
while True:
    ret, frame = video.read()
    if not ret:
        break
    cv2.imwrite("%s/%03d.png" % (sys.argv[2], count), frame)
    count += 1

その結果、絵は2フレームでだいたい視界の幅分動いていることがわかった。
これを踏まえ、絵を復元する以下のプログラムを書いた。

As a result, I found that the picture is moving by about the width of the sight each 2 frames.
Based on this, I created this program to recover the picture:

concat_frames.py
concat_frames.py
import cv2
import sys

if len(sys.argv) < 3:
    sys.stderr.writeline("Usage: concat_frames.py input_file output_file [start_pos [end_pos]]")
    sys.exit(1)

start_y = int(sys.argv[3]) if len(sys.argv) > 3 else 496
end_y = int(sys.argv[4]) if len(sys.argv) > 4 else 518

video = cv2.VideoCapture(sys.argv[1])
if not video.isOpened():
    sys.stderr.writeline("failed to open input")

images = []

while True:
    # skip one frame
    ret, frame = video.read()
    if not ret:
        break
    ret, frame = video.read()
    if not ret:
        break
    images.append(frame[start_y:end_y,:])

cv2.imwrite(sys.argv[2], cv2.vconcat(images))

各ステージの復元結果と答えは以下のようになった。
Level #1 は答えを4個の中から選ぶ形式、他は答えを自由入力させる形式だった。

The results of recovery and answer for each level are below.
I asked to choose the answer from 4 choice in Level #1 and to type the answer in the other levels.

Level #1 Level #2 Level #3 Level #4 Level #5
house bone moon apple ?
Level #1 Level #2 level #3 Level #4 Level #5

Level #5 の復元結果をCyberChefで処理することで、flagが得られた。

I obtained the flag by processing what is recovered in Level #5 via CyberChef.

cybrics{N0w_Y0u_4r3_4_c4sh13r_LOL}

Kernel Reverse (Reverse)

SSHサーバの接続情報が与えられた。
Tera Termでサーバに接続し、とりあえずlsを実行すると、ioctl.koというファイルが置かれていた。
fileコマンドを実行すると、以下の出力がされた。

Information to connect to a SSH server was given.
Connecting to the server via Tera Term and executingls command, I found there was a fileioctl.ko.
Executing file command, it showed this output:

$ file ioctl.ko
ioctl.ko: ELF 64-bit LSB relocatable, x86-64, version 1 (SYSV), BuildID[sha1]=df785cb97d70de2ae5493fa26595d8bd0d1e50a6, with debug_info, not stripped

このioctl.koをSCPでダウンロードしてGhidraで逆コンパイルした。
ioctl_d_interface_ioctl関数を見ると、param_20x5702であり、かつextraout_RDXが指す場所の値が
ktime_get_real_ts64関数で取得した値のうち最初のものとvallの値をxorしたものになっているとき、
copy_user_generic_unrolled関数を用いてextraout_RDXが指す場所にflagをコピーするようになっていた。
vallの値は、vallをGhidraでダブルクリックすると表示された。

I downloaded this ioctl.ko via SCP and decompiled via Ghidra.
Reading the ioctl_d_interface_ioctl function, I found it copying flag to where extraout_RDX points at via copy_user_generic_unrolled function if param_2 is 0x5702 and what extraout_RDX points at is the first value obtained via ktime_get_real_ts64 function exclusive-ored with vall.
The value of vall was shown after double-clicking vall on Ghidra.

関数名から、この処理はioctl()に関係していそうだと考えた。
ioctl()は、デバイスファイルに対して操作を行うAPIである。
init_module関数を見ると、ioctl_d_interface_nameを用いてalloc_chrdev_region関数を呼び出し、
その結果に基づいてioctl_d_interface_majorを設定していた。
ioctl_d_interface_nameの値をGhidraで調べると、s_ioctl_d_001004ccとなっており、
さらにこれは"ioctl_d"となっていた。

Seeing the function name, I thought this function is related to ioctl().
ioctl() is an API to manipulate device files.
Reading the init_module function, it was calling alloc_chrdev_region function with ioctl_d_interface_name and setting the value of ioctl_d_interface_major based on its result.
Looking up for the value of ioctl_d_interface_name with Ghidra, the value was s_ioctl_d_001004cc and it meant "ioctl_d".

Linux Kernelの簡単なCharacter Deviceを作成する方法(Linked List APIの使用方法サンプル)
より、デバイスのメジャー番号はcat /proc/devicesコマンドで調べることができることがわかった。
実際に実行すると、Character devices の242がioctl_dとなっていた。
さらに、ls -l /devコマンドを実行すると、以下の行があった。

We can found the major device numbers via cat /proc/devices command.
Executing this command, I found ioctl_d as no. 242 in "Character devices".
Also, I executed ls -l /dev command, finding this line:

crwxrwxrwx 1 root root    242,   0 Jul 24 07:13 ioctl

このことから、/dev/ioctlを通じてioctl_d_interface_ioctl関数を呼び出せそうだと推理した。
これに基づき、以下のプログラムを作成した。
さらに、これをSCPでアップロードし、make progコマンドでコンパイルした。

From this results, I thought that the ioctl_d_interface_ioctl function can be called via /dev/ioctl.
Based on this, I created following program.
Then, I uploaded this via SCP and compiled via make prog command.

prog.c
prog.c
#include <stdio.h>
#include <errno.h>
#include <sys/ioctl.h>
#include <fcntl.h>
#include <string.h>
#include <time.h>

int main(void) {
    unsigned int magic = 0x13373389;
    time_t t;
    char hoge[1024] = "";
    int fd = open("/dev/ioctl", O_RDWR);
    int ret;
    if (fd < 0) {
        puts("open error");
        return 1;
    }
    t = time(NULL);
    magic ^= (unsigned int)t;
    memcpy(hoge, &magic, sizeof(magic));
    errno = 0;
    ret = ioctl(fd, 0x5702, hoge);
    if (errno != 0) perror("ioctl");
    printf("ret = %d, errno = %d\n", ret, errno);
    puts(hoge);
    return 0;
}

コンパイルしたバイナリを実行することで、flagが得られた。

I obtained the flag by executing the compiled binary.

Cybrics{R3V3R5_DR1V3R5}

ASCII Terminal (Network)

TCPサーバの接続情報と、以下のファイルid.txtが与えられた。

Information to connect to a TCP server and a file id.txt (shown below) were given.

id.txt
id.txt
..........................................................................................
..........................................................................................
..........................................................................................
..........................................................................................
..........................................................................................
...........................+:.............,,..............................................
...........................#+............;$@,.............................................
...........................*:..............$,.............................................
...........................................$,.............................................
........................,+++:........,*?*:.$,.............................................
........................,**%+.......;#+;+$+$,.............................................
...........................*+......,#,....%@,.............................................
...........................*+......?+.....,@,.............................................
...........................*+......%,......#,.............................................
...........................*+......%:......#,.............................................
...........................*+......+*.....:@,.............................................
...........................*+......,$;...,$#,.............................................
.......................,$######$,...,$%?%$:$#*............................................
......................................:;:.................................................
..........................................................................................
..........................................................................................
..........................................................................................
..........................................................................................
..........................................................................................
..........................................................................................
..........................................................................................
..........................................................................................
..........................................................................................
..........................................................................................
..........................................................................................
.

Tera Termでサーバに接続すると、以下の出力がされた。

Connecting to the server via Tera Term, it gave me following output:

サーバの出力 / Output from the server
............................................................................................................................................
............................................................................................................................................
............................................................................................................................................
............................................................................................................................................
............................................................................................................................................
...........................................................@................................................................................
......%@,.............................%@,...............:%#@#?,.............................................................................
......%@,.............................%@,..............;@@@@@@$.............................................................................
......%@,.............................%@,..............$@?:@:$@+............................................................................
......%@,.............................%@,..............@#..@.:@%............................................................................
......%@,?@@%:....;%#@@$+....*#@@$;...%@,*#@$;.........#@,.@................................................................................
......%@%@@@@@:..;@@@@@@@;..?@@@@@@;..%@%@@@@@:........?@#+@................................................................................
......%@@+,:$@%..$@+,.:?@%.,@#:,,+@$..%@@+,:$@?........,%@@@%+..............................................................................
......%@+...,@@,.......,@$.,@#;.......%@+...:@$..........:%@@@$,............................................................................
......%@,....%@;...:+*%#@$..$@@@$*,...%@:....@$............@+$@%............................................................................
......%@.....?@;.:$@@@@@@$..,%@@@@@+..%@,....@$............@.,#@,...........................................................................
......%@,....%@:.#@#?*;:@$....,+%#@@,.%@,....@$............@..%@:...........................................................................
......%@;...,@@,;@$....+@$........$@:.%@,....@$.......:@%..@..#@,...........................................................................
......%@@;,:$@%.:@#:,,*@@$.:@$:,,;#@,.%@,....@$........#@?,@:%@$............................................................................
......%@%@@@@#,..$@@@@@@@@..%@@@@@@?..%@,....@$........;@@@@@@@:............................................................................
......%@,%@@%,...,%#@#%;$@:.,*#@@$+...%@,....@$.........;%@@@%:.............................................................................
...........................................................@................................................................................
...........................................................@................................................................................
............................................................................................................................................
............................................................................................................................................
............................................................................................................................................
............................................................................................................................................
............................................................................................................................................
............................................................................................................................................
............................................................................................................................................

サーバにid.txtの内容を送信すると、以下の出力がされた。

Sending the contents of id.txt to the server, it gave me following output:

サーバの出力 / Output from the server
'..........................................................................................\n'
'..........................................................................................\n'
'..........................................................................................\n'
'..........................................................................................\n'
'..........................................................................................\n'
'...........................+:.............,,..............................................\n'
'...........................#+............;$@,.............................................\n'
'...........................*:..............$,.............................................\n'
'...........................................$,.............................................\n'
'........................,+++:........,*?*:.$,.............................................\n'
'........................,**%+.......;#+;+$+$,.............................................\n'
'...........................*+......,#,....%@,.............................................\n'
'...........................*+......?+.....,@,.............................................\n'
'...........................*+......%,......#,.............................................\n'
'...........................*+......%:......#,.............................................\n'
'...........................*+......+*.....:@,.............................................\n'
'...........................*+......,$;...,$#,.............................................\n'
'.......................,$######$,...,$%?%$:$#*............................................\n'
'......................................:;:.................................................\n'
'..........................................................................................\n'
'..........................................................................................\n'
'..........................................................................................\n'
'..........................................................................................\n'
'..........................................................................................\n'
'..........................................................................................\n'
'..........................................................................................\n'
'..........................................................................................\n'
'..........................................................................................\n'
'..........................................................................................\n'
'..........................................................................................\n'
'.\n'
Recog 31
Executing command 'id

'
............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
.................%@,.......,@%..................,@*.....,*#@#*.....,*#@#*.....,*#@#*.....................%@,.......,@%...............,*#@#*.......%%................................::...*$.....................................................................................,*#@#*.......%%................................::...*$......................................................................................................................................................................................................................................................................................................................................................................................
.................%@,.......,@%.................,$@*.....%@@@@@%....%@@@@@%....%@@@@@%....................%@,.......,@%...............%@@@@@%.....;@:...............................;@+...,@*....................................................................................%@@@@@%.....;@:...............................;@+...,@*.....................................................................................................................................................................................................................................................................................................................................................................................
...........................,@%................,$@@*....;@#;,;#@;..;@#;,;#@;..;@#;,;#@;.............................,@%..............;@#;,;#@;...,#?................................+@+....*@,..................................................................................;@#;,;#@;...,#?................................+@+....*@,....................................................................................................................................................................................................................................................................................................................................................................................
...........................,@%...............+@@$@*....%@;...;@%..%@;...;@%..%@;...;@%.............................,@%..............%@;...;@%...+@:................................+@+....,@?..................................................................................%@;...;@%...+@:................................+@+....,@?....................................................................................................................................................................................................................................................................................................................................................................................
......$@,...,@%..%@,..:%@@?,@%...............##;;@*....@@.....@@..@@.....@@..@@.....@@.........:%@@%,#$..%@,..:%@@?,@%..............@@.....@@...##....%#:#@%..,?#@#?,....,?#@#?,..%@@@@:...%@,.........:%@@%,#$..%#:#@%..,?#@#?,...$@,...,@%..%@,?@@%:....*#@@$;...............@@.....@@...##....%#:#@%..,?#@#?,....,?#@#?,..%@@@@:...%@,...................................................................................................................................................................................................................................................................................................................................................................................
......$@,...,@%..%@,.:@@@@@%@%..#@@@@@@@@?...;..;@*...,@$.....$@,,@$.....$@,,@$.....$@,.......:@@@@@$#$..%@,.:@@@@@%@%..#@@@@@@@@?.,@$.....$@,.:@?....%##@@?.,#@@@@@#:..,#@@@@@#:.%@@@@:...+@+........:@@@@@$#$..%##@@?.,#@@@@@#:..$@,...,@%..%@%@@@@@:..?@@@@@@;..#@@@@@@@@?.,@$.....$@,.:@?....%##@@?.,#@@@@@#:..,#@@@@@#:.%@@@@:...+@+...................................................................................................................................................................................................................................................................................................................................................................................
......$@,...,@%..%@,.%@%:,+@@%..#@@@@@@@@?......;@*...,@%.....%@:,@%.....%@:,@%.....%@:.......%@$:,+@@$..%@,.%@%:,+@@%..#@@@@@@@@?.,@%.....%@:.*@;....%@#:...%@$:,:$@$..%@$:,:$@$..+@+.....:@?........%@$:,+@@$..%@#:...%@$:,:$@$..$@,...,@%..%@@+,:$@%.,@#:,,+@$..#@@@@@@@@?.,@%.....%@:.*@;....%@#:...%@$:,:$@$..%@$:,:$@$..+@+.....:@?...................................................................................................................................................................................................................................................................................................................................................................................
......$@,...,@%..%@,,@#,...+@%..................;@*...:@%.....%@::@%.....%@::@%.....%@:......,@#,...+@$..%@,,@#,...+@%.............:@%.....%@:.%@:....%@+...,@@,...,#@:,@@,...,#@:.+@+.....,@$.......,@#,...+@$..%@+...,@@,...,#@:.$@,...,@%..%@*...,#@,,@#;..................:@%.....%@:.%@:....%@+...,@@,...,#@:,@@,...,#@:.+@+.....,@$...................................................................................................................................................................................................................................................................................................................................................................................
......$@,...,@%..%@,;@?....,@%..................;@*...:@%.....%@,:@%.....%@,:@%.....%@,......;@?.....@$..%@,;@?....,@%.............:@%.....%@,.%@,....%@:...;@?.....?@;;@?.....?@;.+@+......@#.......;@?.....@$..%@:...;@?.....?@;.$@,...,@%..%@,....?@;.$@@@$*,..............:@%.....%@,.%@,....%@:...;@?.....?@;;@?.....?@;.+@+......@#...................................................................................................................................................................................................................................................................................................................................................................................
......$@,...,@%..%@,;@?.....@%..#@@@@@@@@?......;@*...,@$.....$@,,@$.....$@,,@$.....$@,......+@*.....#$..%@,;@?.....@%..#@@@@@@@@?.,@$.....$@,.$@,....%@,...;@*.....*@+;@*.....*@+.+@+......#@.......+@*.....#$..%@,...;@*.....*@+.$@,...,@%..%@.....*@;.,%@@@@@+..#@@@@@@@@?.,@$.....$@,.$@,....%@,...;@*.....*@+;@*.....*@+.+@+......#@...................................................................................................................................................................................................................................................................................................................................................................................
......$@,...:@%..%@,;@%....,@%..#@@@@@@@@?......;@*....@@.....@@..@@.....@@..@@.....@@.......;@?.....@$..%@,;@%....,@%..#@@@@@@@@?..@@.....@@..%@,....%@,...;@?.....?@;;@?.....?@;.+@+......@#.......;@?.....@$..%@,...;@?.....?@;.$@,...:@%..%@,....%@;...,+%#@@,.#@@@@@@@@?..@@.....@@..%@,....%@,...;@?.....?@;;@?.....?@;.+@+......@#...................................................................................................................................................................................................................................................................................................................................................................................
......%@:...+@%..%@,,@@,...+@%..................;@*....%@;...;@%..%@;...;@%..%@;...;@%.......,@#,...+@$..%@,,@@,...+@%..............%@;...;@%..?@:....%@,...,@@,...,#@,,@@,...,#@,.+@+.....,@$.......,@#,...+@$..%@,...,@@,...,#@,.%@:...+@%..%@+...,#@,.......$@:.............%@;...;@%..?@:....%@,...,@@,...,#@,,@@,...,#@,.+@+.....,@$...................................................................................................................................................................................................................................................................................................................................................................................
......?@$:,+@@%..%@,.%@$:,+@@%..................;@*....;@#;,;#@;..;@#;,;#@;..;@#;,;#@;........$@%:,+@@$..%@,.%@$:,+@@%..............;@#;,;#@;..*@+....%@,....%@$:,:$@$..%@$:,:$@$..+@?.....:@?........$@%:,+@@$..%@,....%@$:,:$@$..?@$:,+@@%..%@@+,:$@%.:@$:,,;#@,.............;@#;,;#@;..*@+....%@,....%@$:,:$@$..%@$:,:$@$..+@?.....:@?...................................................................................................................................................................................................................................................................................................................................................................................
......:@@@@@?#%..%@,.,#@@@@%@%..................;@*.....%@@@@@%....%@@@@@%....%@@@@@%.........:@@@@@@@$..%@,.,#@@@@%@%...............%@@@@@%...:@?....%@,....:#@@@@@@:..:#@@@@@@:..;@@@:...*@+........:@@@@@@@$..%@,....:#@@@@@@:..:@@@@@?#%..%@$@@@@#,..%@@@@@@?...............%@@@@@%...:@?....%@,....:#@@@@@@:..:#@@@@@@:..;@@@:...*@+...................................................................................................................................................................................................................................................................................................................................................................................
.......;$@#*.#%..%@,..,%@@%,@%..................;@*.....,*#@#*,....,*#@#*,....,*#@#*,..........:%@@$;@$..%@,..,%@@%,@%...............,*#@#*,....##....%@,.....,?#@#?,....,?#@#?,....?@@;...%@,.........:%@@$;@$..%@,.....,?#@#?,....;$@#*.#%..%@:%@#?,...,*#@@$+................,*#@#*,....##....%@,.....,?#@#?,....,?#@#?,....?@@;...%@,...................................................................................................................................................................................................................................................................................................................................................................................
....................................................................................................:@%.........................................+@;.......................................,@?...............:@%...............................%@,..........................................+@;.......................................,@?....................................................................................................................................................................................................................................................................................................................................................................................
..............................................................................................@@;,,:$@+..........................................#%.......................................*@,.........@@;,,:$@+...............................%@,...........................................#%.......................................*@,....................................................................................................................................................................................................................................................................................................................................................................................
..............................................................................................?@@@@@@$...........................................+@:.....................................,@*..........?@@@@@@$................................%@,...........................................+@:.....................................,@*.....................................................................................................................................................................................................................................................................................................................................................................................
...............................................................................................*$@@#*,............................................%%.....................................?$............*$@@#*,................................%@,............................................%%.....................................?$......................................................................................................................................................................................................................................................................................................................................................................................
............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

どうやら、文字で表された画像に対してOCRをかけ、その結果をコマンドとして実行し、
その出力を文字で表された画像で返すようである。

It looks like the server performs OCR to the image expressed as strings, and executes the result as a command, and returns the output of the command as an image expressed as strings.

とりあえずid.txtを使わずにidを表す文字列を作成し、サーバに送信してみたが、
空文字列として認識され、idを実行することはできなかった。
そのため、サーバ上で使われているフォントを使わないとうまく認識されなそうだと考え、
実行したいコマンドに使う文字を集める作戦を練ることにした。

I created a string to express id without using id.txt and sent that to the server, but it was recognized as an empty string and id was not executed.
Seeing this, I thought that the recognition won't work well unless I use the font used on the server, and decided to correct characters to use in the commands to execute.

作成したidを表す文字列 / The string I created to express id
..................................................................
..................................................................
..................................................................
..................................................................
...............$$$....................................$$..........
...............$$$....................................$$..........
...............$$$....................................$$..........
......................................................$$..........
......................................................$$..........
......................................................$$..........
......................................................$$..........
...............$$$...........................$$$$$$...$$..........
...............$$$.........................$$$$...$$$$$$..........
...............$$$.........................$$.......$$$$..........
...............$$$........................$$$........$$$..........
...............$$$........................$$.........$$$..........
...............$$$.......................$$$..........$$..........
...............$$$.......................$$...........$$..........
...............$$$.......................$$...........$$..........
...............$$$.......................$$...........$$..........
...............$$$.......................$$$..........$$..........
...............$$$.......................$$$.........$$$..........
...............$$$........................$$.........$$$..........
...............$$$........................$$$.......$$$$..........
...............$$$.........................$$$.....$$$$$..........
...............$$$..........................$$$$$$$$...$..........
...............................................$$$................
..................................................................
..................................................................
..................................................................
..................................................................
..................................................................
..................................................................
..................................................................
.

現在得られているのは、以下の文字列である。

Now I have following strings:

bash$
id
uid=1000 gid=0(root) groups=0(root)

まず、shasumコマンドを表す文字列を作成し、実行に成功した。
shasの部分はbashから作成でき、ugroupsに含まれる。mは得られている文字列に含まれないが、uから作成できた。
文字の切り貼りには、サクラエディタの矩形範囲選択機能と罫子が便利だった。

Firstly, I created a string to express the command shasum and succeeded to execute.
shas can be created from bash and u is in groups. m is not in the strings currently available, but I created it from u.
罫子 and the column selection function of SAKURA were useful for copy-and-pasting characters.

作成したshasumを表す文字列 / A string to express shasum created
................................................................................
................................................................................
..............%@,...............................................................
..............%@,...............................................................
..............%@,...............................................................
..............%@,...............................................................
.....*#@@$;...%@,*#@$;....;%#@@$+......*#@@$;...$@,...,@%...%#.*#@$;..*#@$;.....
....?@@@@@@;..%@%@@@@@:..;@@@@@@@;....?@@@@@@;..$@,...,@%...%#?@@@@@:?@@@@@:....
...,@#:,,+@$..%@@+,:$@?..$@+,.:?@%...,@#:,,+@$..$@,...,@%...%@@+,:$@?@+,:$@?....
...,@#;.......%@+...:@$........,@$...,@#;.......$@,...,@%...%@+...:@%+...:@%....
....$@@@$*,...%@:....@$....:+*%#@$....$@@@$*,...$@,...,@%...%@:...,@$:...,@$....
....,%@@@@@+..%@,....@$..:$@@@@@@$....,%@@@@@+..$@,...,@%...%@,...,@$,...,@$....
......,+%#@@,.%@,....@$..#@#?*;:@$......,+%#@@,.$@,...:@%...%@,...,@$,...,@$....
..........$@:.%@,....@$.;@$....+@$..........$@:.%@:...+@%...%@,...,@$,...,@$....
...:@$:,,;#@,.%@,....@$.:@#:,,*@@$...:@$:,,;#@,.?@$:,+@@%...%@,...,@$,...,@$....
....%@@@@@@?..%@,....@$..$@@@@@@@@....%@@@@@@?..:@@@@@?#%...%@,...,@$,...,@$....
....,*#@@$+...%@,....@$..,%#@#%;$@....,*#@@$+....;$@#*.#%...%@,...,@$,...,@$....
................................................................................
................................................................................
.

サーバの応答 / The response from the server
............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
..........,@*................,?@@#*.....:%#@@%:...............,?@@#*...............,?@@#*......+$@@%:....,*#@#*.....?@@@@@@%...,*#@#*........,@*................,*#@#*.....................,@%..............,?@@#*...,@@@@@@@@@;..,?#@#?,...%@,.......................?@;....?@@@@@@%..............:%#@@%:........?@;........?@;....:%#@@%:....,*#@#*..........,@%.............:%#@@%:...............?@@@@@@%...,?@@#*.....+#@#:%@,.........................................................................................................................................................................................................................................................................................................................................................................................................................................................
.........,$@*...............,#@@@@@%...:@@@@@@@:.............,#@@@@@%.............,#@@@@@%....?@@@@@#,...%@@@@@%....$@@@@@@%...%@@@@@%......,$@*................%@@@@@%....................,@%.............,#@@@@@%..,@@@@@@@@@:..$@@@@@$...%@,......................:@@;....$@@@@@@%.............:@@@@@@@:......:@@;.......:@@;...:@@@@@@@:...%@@@@@%.........,@%............:@@@@@@@:..............$@@@@@@%..,#@@@@@%...,@@@@,%@,.........................................................................................................................................................................................................................................................................................................................................................................................................................................................
........,$@@*...............*@%:,;@@;..%@%:,:$@%.............*@%:,;@@;............*@%:,;@@;..:@@+,:%@?..;@#;,;#@;...@#........;@#;,;#@;....,$@@*...............;@#;,;#@;...................,@%.............*@%:,;@@;........*@?..+@#;,;#@+..%@,.....................,#@@;....@#...................%@%:,:$@%.....,#@@;......,#@@;...%@%:,:$@%..;@#;,;#@;........,@%............%@%:,:$@%..............@#........*@%:,;@@;..;@$,,.%@,.........................................................................................................................................................................................................................................................................................................................................................................................................................................................
.......+@@$@*...............#@,...+@*..@#....,@@.............#@,...+@*............#@,...+@*..%@;...,@#..%@;...;@%..,@%........%@;...;@%...+@@$@*...............%@;...;@%...................,@%.............#@,...+@*.......:@$...?@;...;@%..%@,.....................*@$@;...,@%...................@#....,@@.....*@$@;......*@$@;...@#....,@@..%@;...;@%........,@%............@#....,@@.............,@%........#@,...+@*..;@*...%@,.........................................................................................................................................................................................................................................................................................................................................................................................................................................................
.......##;;@*.....,?#@#?,.........*@+.........$@...,?#@#?,.........*@+...,?#@#*.........*@+..@$.........@@.....@@..;@*........@@.....@@...##;;@*.....;%#@@$+...@@.....@@...,?#@#?,....:%@@?,@%...,?#@#?,.........*@+.......$@;...?@;...;@?..%@,?@@%:....,?#@#*.....:@??@;...;@*.........;%#@@$+..........$@....:@??@;.....:@??@;..........$@..@@.....@@...:%@@?,@%...,?#@#*..........$@...,?#@#?,...;@*..............*@+.#@@@@?.%@,?@@%:....;%#@@$+.........................................................................................................................................................................................................................................................................................................................................................................................................................................
.......;..;@*....,#@@@@@#,......,+@#,........,@#..,#@@@@@#,......,+@#,..,#@@@@@?......,+@#,.,@?:%@@%:..,@$.....$@,.*@*%@@%:..,@$.....$@,..;..;@*....;@@@@@@@;.,@$.....$@,.,#@@@@@#,..:@@@@@%@%..,#@@@@@#,......,+@#,......+@%....:@#;,:#@;..%@%@@@@@:..,#@@@@@?....$#,?@;...*@*%@@%:...;@@@@@@@;........,@#....$#,?@;.....$#,?@;.........,@#.,@$.....$@,.:@@@@@%@%..,#@@@@@?........,@#..,#@@@@@#,..*@*%@@%:.......,+@#,.#@@@@?.%@%@@@@@:..;@@@@@@@;........................................................................................................................................................................................................................................................................................................................................................................................................................................
..........;@*....?@%:,:?@%.....?@@#:.........?@+..?@%:,:?@%.....?@@#:...?@$;,;#@:....?@@#:..:@$@@@@@@:.,@%.....%@:.?@@@@@@@:.,@%.....%@:.....;@*....$@+,.:?@%.,@%.....%@:.?@%:,:?@%..%@%:,+@@%..?@%:,:?@%.....?@@#:.......#@:.....;#@@@@+...%@@+,:$@%..?@$;,;#@:..*@;.?@;...?@@@@@@@:..$@+,.:?@%........?@+...*@;.?@;....*@;.?@;.........?@+.,@%.....%@:.%@%:,+@@%..?@$;,;#@:.......?@+..?@%:,:?@%..?@@@@@@@:.....?@@#:...;@*...%@@+,:$@%..$@+,.:?@%........................................................................................................................................................................................................................................................................................................................................................................................................................................
..........;@*...,@#.....$@,....?#@@#:.......*@$..,@#.....$@,....?#@@#:..@@,...;@*....?#@@#:.;@@#;,:$@%.:@%.....%@:.$@*,,:$@#.:@%.....%@:.....;@*..........,@$.:@%.....%@:,@#.....$@,,@#,...+@%.,@#.....$@,....?#@@#:.....;@%.....,?@@@@@?...%@+...,@@,.@@,...;@*.:@%..?@;...$@*,,:$@#........,@$.......*@$...:@%..?@;...:@%..?@;........*@$..:@%.....%@:,@#,...+@%..@@,...;@*......*@$..,@#.....$@,.$@*,,:$@#.....?#@@#:..;@*...%@+...,@@,.......,@$........................................................................................................................................................................................................................................................................................................................................................................................................................................
..........;@*...:@@@@@@@@@:......,?@$......*@$,..:@@@@@@@@@:......,?@$.:@$.............,?@$.;@@:...,#@,:@%.....%@,.......,#@::@%.....%@,.....;@*......:+*%#@$.:@%.....%@,:@@@@@@@@@:;@?....,@%.:@@@@@@@@@:......,?@$.....%@;.....?@$:,:%@?..%@,....%@;:@$........$#,..?@;.........,#@:...:+*%#@$......*@$,...$#,..?@;...$#,..?@;.......*@$,..:@%.....%@,;@?....,@%.:@$............*@$,..:@@@@@@@@@:.......,#@:......,?@$..;@*...%@,....%@;...:+*%#@$........................................................................................................................................................................................................................................................................................................................................................................................................................................
..........;@*...;@@@@@@@@@;........#@,....?@$,...;@@@@@@@@@;........#@,:@%...............#@,:@#.....%@:,@$.....$@,........%@;,@$.....$@,.....;@*....:$@@@@@@$.,@$.....$@,;@@@@@@@@@;;@?.....@%.;@@@@@@@@@;........#@,...,@#.....,@#,....#@,.%@.....?@;:@%.......*@;...?@;..........%@;.:$@@@@@@$.....?@$,...*@;...?@;..*@;...?@;......?@$,...,@$.....$@,;@?.....@%.:@%...........?@$,...;@@@@@@@@@;........%@;........#@,.;@*...%@.....?@;.:$@@@@@@$.............+@@@@@,....................................................................................................................................................................................................................................................................................................................................................................................................................
..........;@*...:@%................$@:..,%@?.....:@%................$@::@$...............$@:,@#.....%@:.@@.....@@.........%@;.@@.....@@......;@*....#@#?*;:@$..@@.....@@.:@%........;@%....,@%.:@%................$@:...;@?.....:@%.....?@:.%@,....%@::@$.......$@@@@@@@@@:........%@;.#@#?*;:@$...,%@?.....$@@@@@@@@@:$@@@@@@@@@:..,%@?......@@.....@@.;@%....,@%.:@$.........,%@?.....:@%................%@;........$@:.;@*...%@,....%@:.#@#?*;:@$.............+@@@@@,....................................................................................................................................................................................................................................................................................................................................................................................................................
..........;@*...,@@,.......,@#....,@@,..$@*......,@@,.......,@#....,@@,.@@,...,@%,@#....,@@,.$@;...,@@..%@;...;@%.,@#....,@@,.%@;...;@%......;@*...;@$....+@$..%@;...;@%.,@@,.......,@@,...+@%.,@@,.......,@#....,@@,...?@;.....,@#,....#@:.%@;...,@@,.@@,...,@%$@@@@@@@@@:,@#....,@@,;@$....+@$...$@*......$@@@@@@@@@:$@@@@@@@@@:..$@*.......%@;...;@%.,@@,...+@%..@@,...,@%..$@*......,@@,.......,@#....,@@,,@#....,@@,.;@*...%@;...,@@,;@$....+@$........................................................................................................................................................................................................................................................................................................................................................................................................................................
..........;@*....%@$;,,+@@,.$@%:,;$@%..?@*........%@$;,,+@@,.$@%:,;$@%..%@$:,:$@+.$@%:,;$@%..+@#;,:$@?..;@#;,;#@;..$@%:,;$@%..;@#;,;#@;......;@*...:@#:,,*@@$..;@#;,;#@;..%@$;,,+@@,.%@$:,+@@%..%@$;,,+@@,.$@%:,;$@%....$@,......$@$:,:%@#..%@@;,:$@%..%@$:,:$@+......?@;...$@%:,;$@%.:@#:,,*@@$..?@*.............?@;........?@;...?@*........;@#;,;#@;..%@$:,+@@%..%@$:,:$@+.?@*........%@$;,,+@@,.$@%:,;$@%..$@%:,;$@%..;@*...%@@;,:$@%.:@#:,,*@@$........................................................................................................................................................................................................................................................................................................................................................................................................................................
..........;@*....,#@@@@@@+..:@@@@@@#,.,@@@@@@@@@,.,#@@@@@@+..:@@@@@@#,..,#@@@@@%..:@@@@@@#,...%@@@@@#,...%@@@@@%...:@@@@@@#,...%@@@@@%.......;@*....$@@@@@@@@...%@@@@@%...,#@@@@@@+..,#@@@@%@%..,#@@@@@@+..:@@@@@@#,....@@.......:@@@@@@@:..%@%@@@@#,..,#@@@@@%.......?@;...:@@@@@@#,..$@@@@@@@@.,@@@@@@@@@,......?@;........?@;..,@@@@@@@@@,..%@@@@@%...,#@@@@%@%..,#@@@@@%.,@@@@@@@@@,.,#@@@@@@+..:@@@@@@#,..:@@@@@@#,..;@*...%@%@@@@#,..$@@@@@@@@........................................................................................................................................................................................................................................................................................................................................................................................................................................
..........;@*.....,?#@@$;....:%@@#?,..;@@@@@@@@@,..,?#@@$;....:%@@#?,....,?#@#?,...:%@@#?,.....*#@#?,....,*#@#*,....:%@@#?,....,*#@#*,.......;@*....,%#@#%;$@:..,*#@#*,....,?#@@$;....,%@@%,@%...,?#@@$;....:%@@#?,.....@#........,%#@@%:...%@,%@@%,....,?#@#?,.......?@;....:%@@#?,...,%#@#%;$@:;@@@@@@@@@,......?@;........?@;..;@@@@@@@@@,..,*#@#*,....,%@@%,@%...,?#@#?,.;@@@@@@@@@,..,?#@@$;....:%@@#?,....:%@@#?,...;@*...%@,%@@%,...,%#@#%;$@:.......................................................................................................................................................................................................................................................................................................................................................................................................................................
............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

(一部の.のみの行は省略した / Some .-only lines are omitted)

この応答から、文字012345678abcdefを得ることができた。 (9は含まれていなかった)

From this response, I succeeded to collect characters 012345678abcdef. (9 was not in the response)

次に、lsを作るのにloadに含まれるlを使うことを狙い、uptimeコマンドを表す文字列を作成して実行させた。

Then, to use l in load to create ls, I created a string to express uptime and had the server execute the command.

uptimeを表す文字列 / A string to express uptime
..................................................................................
..................................................................................
..............................::........%@........................................
.............................;@+........%@........................................
.............................+@+..................................................
.............................+@+..................................................
..$@,...,@%...%@,?@@%:......%@@@@:......%@......%#.*#@$;..*#@$;.....,?#@#?,.......
..$@,...,@%...%@%@@@@@:.....%@@@@:......%@......%#?@@@@@:?@@@@@:...,#@@@@@#,......
..$@,...,@%...%@@+,:$@%......+@+........%@......%@@+,:$@?@+,:$@?...?@%:,:?@%......
..$@,...,@%...%@*...,#@,.....+@+........%@......%@+...:@%+...:@%..,@#.....$@,.....
..$@,...,@%...%@,....?@;.....+@+........%@......%@:...,@$:...,@$..:@@@@@@@@@:.....
..$@,...,@%...%@.....*@;.....+@+........%@......%@,...,@$,...,@$..;@@@@@@@@@;.....
..$@,...:@%...%@,....%@;.....+@+........%@......%@,...,@$,...,@$..:@%.............
..%@:...+@%...%@+...,#@,.....+@+........%@......%@,...,@$,...,@$..,@@,............
..?@$:,+@@%...%@@+,:$@%......+@?........%@......%@,...,@$,...,@$...%@$;,,+@@,.....
..:@@@@@?#%...%@$@@@@#,......;@@@:......%@......%@,...,@$,...,@$...,#@@@@@@+......
...;$@#*.#%...%@:%@#?,........?@@;......%@......%@,...,@$,...,@$....,?#@@$;.......
..............%@,.................................................................
..............%@,.................................................................
..............%@,.................................................................
..............%@,.................................................................
..................................................................................
..................................................................................
.

サーバの応答 / The response from the server
....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
................,@*......+$@@%:..............?@;....,*#@#*..............,@*.........?@;......................................:%#@@%:...............,@%....................................................:%#@@%:..............?@;.......,@*.......................,*#@#*.............................................................................$@,.............................,@%.............................................................................................:%#@@%:..........:%#@@%:....:%#@@%:................:%#@@%:..........:%#@@%:....,?#@#?,................:%#@@%:.............,@*.....?@@@@@@%....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
...............,$@*.....?@@@@@#,............:@@;....%@@@@@%............,$@*........:@@;.....................................:@@@@@@@:..............,@%...................................................:@@@@@@@:............:@@;......,$@*.......................%@@@@@%............................................................................$@,.............................,@%............................................................................................:@@@@@@@:........:@@@@@@@:..:@@@@@@@:..............:@@@@@@@:........:@@@@@@@:...$@@@@@$...............:@@@@@@@:...........,$@*.....$@@@@@@%....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
..............,$@@*....:@@+,:%@?...........,#@@;...;@#;,;#@;..........,$@@*.......,#@@;.....................................%@%:,:$@%..............,@%...................................................%@%:,:$@%...........,#@@;.....,$@@*......................;@#;,;#@;...........................................................................$@,.............................,@%............................................................................................%@%:,:$@%........%@%:,:$@%..%@%:,:$@%..............%@%:,:$@%........%@%:,:$@%..+@#;,;#@+..............%@%:,:$@%..........,$@@*.....@#..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
.............+@@$@*....%@;...,@#...........*@$@;...%@;...;@%.........+@@$@*.......*@$@;.....................................@#....,@@..............,@%...................................................@#....,@@...........*@$@;....+@@$@*......................%@;...;@%...........................................................................$@,.............................,@%............................................................................................@#....,@@........@#....,@@..@#....,@@..............@#....,@@........@#....,@@..?@;...;@%..............@#....,@@.........+@@$@*....,@%..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
.............##;;@*....@$.........:@#.....:@??@;...@@.....@@..:@#....##;;@*......:@??@;.........$@,...,@%..%@,?@@%:................$@.........:%@@?,@%...;%#@@$+..*@+....,@%..*#@@$;............................$@..:@#.....:@??@;....##;;@*......................@@.....@@........$@,...,@%...*#@@$;....,?#@#?,...%#:#@%..*#@@$;.....................$@,..,?#@#?,....;%#@@$+....:%@@?,@%.........;%#@@$+..?@;....;@?..,?#@#?,...%#:#@%..;%#@@$+....:%@@%,#$...,?#@#?,...:@#................$@...............$@.........$@.....................$@...............$@..?@;...;@?.....................$@.........##;;@*....;@*..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
.............;..;@*...,@?:%@@%:...:@#.....$#,?@;..,@$.....$@,.:@#....;..;@*......$#,?@;.........$@,...,@%..%@%@@@@@:..............,@#........:@@@@@%@%..;@@@@@@@;.,@$....*@;.?@@@@@@;..........................,@#..:@#.....$#,?@;....;..;@*.....................,@$.....$@,.......$@,...,@%..?@@@@@@;..,#@@@@@#,..%##@@?.?@@@@@@;....................$@,.,#@@@@@#:..;@@@@@@@;..:@@@@@%@%........;@@@@@@@;.:@%....?@;.,#@@@@@#,..%##@@?.;@@@@@@@;..:@@@@@$#$..,#@@@@@#,..:@#...............,@#..............,@#........,@#....................,@#..............,@#..:@#;,:#@;....................,@#.........;..;@*....*@*%@@%:.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
................;@*...:@$@@@@@@:.........*@;.?@;..,@%.....%@:...........;@*.....*@;.?@;.........$@,...,@%..%@@+,:$@%..............?@+........%@%:,+@@%..$@+,.:?@%..$@,...$@.,@#:,,+@$..........................?@+.........*@;.?@;.......;@*.....................,@%.....%@:.......$@,...,@%.,@#:,,+@$..?@%:,:?@%..%@#:..,@#:,,+@$....................$@,.%@$:,:$@$..$@+,.:?@%..%@%:,+@@%........$@+,.:?@%..#@,...##..?@%:,:?@%..%@#:...$@+,.:?@%..%@$:,+@@$..?@%:,:?@%....................?@+..............?@+........?@+....................?@+..............?@+...;#@@@@+.....................?@+............;@*....?@@@@@@@:....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
................;@*...;@@#;,:$@%........:@%..?@;..:@%.....%@:...........;@*....:@%..?@;.........$@,...,@%..%@*...,#@,............*@$........,@#,...+@%........,@$..+@*..,@?.,@#;..............................*@$.........:@%..?@;.......;@*.....................:@%.....%@:.......$@,...,@%.,@#;......,@#.....$@,.%@+...,@#;.........................$@,,@@,...,#@:.......,@$.,@#,...+@%..............,@$..*@;..;@?.,@#.....$@,.%@+..........,@$.,@#,...+@$.,@#.....$@,..................*@$..............*@$........*@$....................*@$..............*@$...,?@@@@@?....................*@$.............;@*....$@*,,:$@#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
................;@*...;@@:...,#@,.......$#,..?@;..:@%.....%@,...........;@*....$#,..?@;.........$@,...,@%..%@,....?@;...........*@$,........;@?....,@%....:+*%#@$..,@#..*@;..$@@@$*,.........................*@$,.........$#,..?@;.......;@*.....................:@%.....%@,.......$@,...,@%..$@@@$*,..:@@@@@@@@@:.%@:....$@@@$*,.....................$@,;@?.....?@;...:+*%#@$.;@?....,@%..........:+*%#@$..:@%..?@:.:@@@@@@@@@:.%@:......:+*%#@$.;@?.....@$.:@@@@@@@@@:.................*@$,.............*@$,.......*@$,...................*@$,.............*@$,...?@$:,:%@?..................*@$,.............;@*..........,#@:...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
................;@*...:@#.....%@:......*@;...?@;..,@$.....$@,...........;@*...*@;...?@;.........$@,...,@%..%@.....*@;..........?@$,.........;@?.....@%..:$@@@@@@$...%@:.$#...,%@@@@@+.......................?@$,.........*@;...?@;.......;@*.....................,@$.....$@,.......$@,...,@%..,%@@@@@+.;@@@@@@@@@;.%@,....,%@@@@@+....................$@,;@*.....*@+.:$@@@@@@$.;@?.....@%........:$@@@@@@$...$@,.@$..;@@@@@@@@@;.%@,....:$@@@@@@$.+@*.....#$.;@@@@@@@@@;................?@$,.............?@$,.......?@$,...................?@$,.............?@$,...,@#,....#@,................?@$,..............;@*...........%@;...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
................;@*...,@#.....%@:......$@@@@@@@@@:.@@.....@@............;@*...$@@@@@@@@@:.......$@,...:@%..%@,....%@;........,%@?...........;@%....,@%..#@#?*;:@$...;@*,@?.....,+%#@@,....................,%@?...........$@@@@@@@@@:.....;@*......................@@.....@@........$@,...:@%....,+%#@@,:@%.........%@,......,+%#@@,...................$@,;@?.....?@;.#@#?*;:@$.;@%....,@%........#@#?*;:@$...*@;;@*..:@%.........%@,....#@#?*;:@$.;@?.....@$.:@%......................,%@?.............,%@?.......,%@?...................,%@?.............,%@?.....:@%.....?@:..............,%@?................;@*...........%@;...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
................;@*....$@;...,@@.......$@@@@@@@@@:.%@;...;@%............;@*...$@@@@@@@@@:.......%@:...+@%..%@+...,#@,........$@*............,@@,...+@%.;@$....+@$....##*@:.........$@:....................$@*............$@@@@@@@@@:.....;@*......................%@;...;@%........%@:...+@%........$@:,@@,........%@,..........$@:...................$@,,@@,...,#@,;@$....+@$.,@@,...+@%.......;@$....+@$...,@%?@,..,@@,........%@,...;@$....+@$.,@#,...+@$.,@@,.....................$@*..............$@*........$@*....................$@*..............$@*......,@#,....#@:..............$@*.................;@*...,@#....,@@,...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
................;@*....+@#;,:$@?.............?@;...;@#;,;#@;............;@*.........?@;.........?@$:,+@@%..%@@+,:$@%........?@*..............%@$:,+@@%.:@#:,,*@@$....*@@#...:@$:,,;#@,...................?@*...................?@;.......;@*......................;@#;,;#@;........?@$:,+@@%.:@$:,,;#@,.%@$;,,+@@,.%@,...:@$:,,;#@,...................$@,.%@$:,:$@$.:@#:,,*@@$..%@$:,+@@%.......:@#:,,*@@$....%@@$....%@$;,,+@@,.%@,...:@#:,,*@@$..$@%:,+@@$..%@$;,,+@@,.............?@*..............?@*........?@*....................?@*..............?@*........$@$:,:%@#..............?@*..................;@*....$@%:,;$@%....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
................;@*.....%@@@@@#,..:@#........?@;....%@@@@@%...:@#.......;@*.........?@;.........:@@@@@?#%..%@$@@@@#,.......,@@@@@@@@@,.......,#@@@@%@%..$@@@@@@@@....,@@*....%@@@@@@?..;@$..............,@@@@@@@@@,.:@#........?@;.......;@*....;@$................%@@@@@%.........:@@@@@?#%..%@@@@@@?..,#@@@@@@+..%@,....%@@@@@@?..;@$...............$@,.:#@@@@@@:..$@@@@@@@@..,#@@@@%@%........$@@@@@@@@....+@@+....,#@@@@@@+..%@,....$@@@@@@@@..:@@@@@@@$..,#@@@@@@+..:@#........,@@@@@@@@@,.:@#..,@@@@@@@@@,,@@@@@@@@@,.;@$........,@@@@@@@@@,.:@#..,@@@@@@@@@,.:@@@@@@@:..;@$........,@@@@@@@@@,.:@#.......;@*....:@@@@@@#,....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
................;@*......*#@#?,...:@#........?@;....,*#@#*,...:@#.......;@*.........?@;..........;$@#*.#%..%@:%@#?,........;@@@@@@@@@,........,%@@%,@%..,%#@#%;$@:....#@:....,*#@@$+...;@$..............;@@@@@@@@@,.:@#........?@;.......;@*....;@$................,*#@#*,..........;$@#*.#%..,*#@@$+....,?#@@$;...%@,....,*#@@$+...;@$...............$@,..,?#@#?,...,%#@#%;$@:..,%@@%,@%........,%#@#%;$@:...,@@,.....,?#@@$;...%@,....,%#@#%;$@:..:%@@$;@$...,?#@@$;...:@#........;@@@@@@@@@,.:@#..;@@@@@@@@@,;@@@@@@@@@,.;@$........;@@@@@@@@@,.:@#..;@@@@@@@@@,..,%#@@%:...;@$........;@@@@@@@@@,.:@#.......;@*.....:%@@#?,.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
...........................................................................................................%@,.......................................................,@$................;$.......................................................;$..................................................................................;$..................................................................................................................:@%.................................................................;$.................................................;$..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
...........................................................................................................%@,.....................................................,,%@+...............,%?......................................................,%?.................................................................................,%?............................................................................................................@@;,,:$@+................................................................,%?................................................,%?..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
...........................................................................................................%@,.....................................................#@@#................,$,......................................................,$,.................................................................................,$,............................................................................................................?@@@@@@$.................................................................,$,................................................,$,..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
...........................................................................................................%@,.....................................................%@$,.............................................................................................................................................................................................................................................................................*$@@#*,.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

(一部の.のみの行は省略した / Some .-only lines are omitted)

得られたlを用いてlsを表す文字列を作り、送信したが、なぜか空文字列として認識されてしまい、実行できなかった。
そこで、San Diego CTF 2021 の No flag for youの解法を参考に、
echo *によってファイルの一覧を得ることにした。

I created a string to express ls using the l obtained and sent that to the server, but It was recognized as an empty string for some reason and it couldn't be executed.
Seeing this, I decided to obtain the list of files using echo *, inspired from the solution for "No flag for you" in San Diego CTF 2021.

echo *を実行するには、*が必要である。
これは、helpコマンドを実行し、出力のうち以下の行から得ることができた。

* is required to execute echo *.
This could be obtained from this line in the output of help command.

A star (*) next to a name means that the command is disabled.

helpを表す文字列 / A string to express help
..........................................................
..........................................................
......%@,...........................$@....................
......%@,...........................$@....................
......%@,...........................$@....................
......%@,...........................$@....................
......%@,*#@$;........,?#@#?,.......$@......%@,?@@%:......
......%@%@@@@@:......,#@@@@@#,......$@......%@%@@@@@:.....
......%@@+,:$@?......?@%:,:?@%......$@......%@@+,:$@%.....
......%@+...:@$.....,@#.....$@,.....$@......%@*...,#@,....
......%@:....@$.....:@@@@@@@@@:.....$@......%@,....?@;....
......%@,....@$.....;@@@@@@@@@;.....$@......%@.....*@;....
......%@,....@$.....:@%.............$@......%@,....%@;....
......%@,....@$.....,@@,............$@......%@+...,#@,....
......%@,....@$......%@$;,,+@@,.....$@......%@@+,:$@%.....
......%@,....@$......,#@@@@@@+......$@......%@$@@@@#,.....
......%@,....@$.......,?#@@$;.......$@......%@:%@#?,......
............................................%@,...........
............................................%@,...........
............................................%@,...........
............................................%@,...........
..........................................................
..........................................................
.

helpコマンドの出力のうち該当部分 / The corresponding part of the output of the help command
........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
..........$@$.......................::..............................%%....#?....*$............................................::..........::................................................................................................................................................................::...%@,....................::..........::...%@,............................................................................................................,@%........%@,.......................,@%..%@,......................%@,........$@,..................,@%..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
.........,@@@,.....................;@+.............................;@:..;.$*,;..,@*..........................................;@+.........;@+...............................................................................................................................................................;@+...%@,...................;@+.........;@+...%@,............................................................................................................,@%........%@,.......................,@%..%@,......................%@,........$@,..................,@%..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
.........*@$@*.....................+@+............................,#?..;@##$@@...*@,.........................................+@+.........+@+...............................................................................................................................................................+@+...%@,...................+@+.........+@+...%@,............................................................................................................,@%..................................,@%...........................%@,........$@,..................,@%..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
.........#@:@#.....................+@+............................+@:...:?@@+:...,@?.........................................+@+.........+@+...............................................................................................................................................................+@+...%@,...................+@+.........+@+...%@,............................................................................................................,@%..................................,@%...........................%@,........$@,..................,@%..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
........:@$.$@;...........*#@@$;..%@@@@:..;%#@@$+...%#:#@%........##....,#?#%.....%@,........%@:%@@$;....,?#@#?,..;@#,...$@;%@@@@:......%@@@@:..,?#@#?,..........;%#@@$+.........%@:%@@$;....;%#@@$+...%#,?@@%,.*#@$:....,?#@#?,.........%#,?@@%,.*#@$:....,?#@#?,....;%#@@$+...%@:%@@$;....*#@@$;........%@@@@:.%@,*#@$;....;%#@@$+..%@@@@:......%@@@@:.%@,*#@$;....,?#@#?,..........,?#@#*....,?#@#?,...%#,?@@%,.*#@$:...%#,?@@%,.*#@$:....;%#@@$+...%@:%@@$;....:%@@?,@%........%@,..*#@@$;..........:%@@?,@%..%@,..*#@@$;....;%#@@$+...%@,?@@%:...$@,..,?#@#?,....:%@@?,@%..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
........?@*.+@%..........?@@@@@@;.%@@@@:.;@@@@@@@;..%##@@?.......:@?....;$,;$,....+@+........%@@@@@@@:..,#@@@@@#,..?@*..+@?.%@@@@:......%@@@@:.,#@@@@@#:........;@@@@@@@;........%@@@@@@@:..;@@@@@@@;..%#%@@@@?*@@@@#,..,#@@@@@#,........%#%@@@@?*@@@@#,..,#@@@@@#,..;@@@@@@@;..%@@@@@@@:..?@@@@@@;.......%@@@@:.%@%@@@@@:..;@@@@@@@;.%@@@@:......%@@@@:.%@%@@@@@:..,#@@@@@#,........,#@@@@@?..,#@@@@@#:..%#%@@@@?*@@@@#,..%#%@@@@?*@@@@#,..;@@@@@@@;..%@@@@@@@:..:@@@@@%@%........%@,.?@@@@@@;........:@@@@@%@%..%@,.?@@@@@@;..;@@@@@@@;..%@%@@@@@:..$@,.,#@@@@@#,..:@@@@@%@%..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
........@@,.,@@,........,@#:,,+@$..+@+...$@+,.:?@%..%@#:.........*@;..............:@?........%@@+,:$@?..?@%:,:?@%..,#@,,@#,..+@+.........+@+...%@$:,:$@$........$@+,.:?@%........%@@+,:$@?..$@+,.:?@%..%@@;,;@@@+,:#@;..?@%:,:?@%........%@@;,;@@@+,:#@;..?@%:,:?@%..$@+,.:?@%..%@@+,:$@?.,@#:,,+@$........+@+...%@@+,:$@?..$@+,.:?@%..+@+.........+@+...%@@+,:$@?..?@%:,:?@%........?@$;,;#@:.%@$:,:$@$..%@@;,;@@@+,:#@;..%@@;,;@@@+,:#@;..$@+,.:?@%..%@@+,:$@?..%@%:,+@@%........%@,,@#:,,+@$........%@%:,+@@%..%@,,@#:,,+@$..$@+,.:?@%..%@@+,:$@%..$@,.?@%:,:?@%..%@%:,+@@%..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
.......;@%...%@*........,@#;.......+@+.........,@$..%@+..........%@:..............,@$........%@+...:@$.,@#.....$@,..;@%$@;...+@+.........+@+..,@@,...,#@:.............,@$........%@+...:@$........,@$..%@+...%@?...*@+.,@#.....$@,.......%@+...%@?...*@+.,@#.....$@,.......,@$..%@+...:@$.,@#;.............+@+...%@+...:@$........,@$..+@+.........+@+...%@+...:@$.,@#.....$@,.......@@,...;@*,@@,...,#@:.%@+...%@?...*@+..%@+...%@?...*@+........,@$..%@+...:@$.,@#,...+@%........%@,,@#;............,@#,...+@%..%@,,@#;.............,@$..%@+...,@@,.$@,,@#.....$@,,@#,...+@%..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
.......%@;...;@#.........$@@@$*,...+@+.....:+*%#@$..%@:..........%@,...............@#........%@:...,@$.:@@@@@@@@@:...?@@?....+@+.........+@+..;@?.....?@;.........:+*%#@$........%@:...,@$....:+*%#@$..%@:...?@;...+@+.:@@@@@@@@@:.......%@:...?@;...+@+.:@@@@@@@@@:...:+*%#@$..%@:...,@$..$@@@$*,.........+@+...%@:....@$....:+*%#@$..+@+.........+@+...%@:....@$.:@@@@@@@@@:......:@$.......;@?.....?@;.%@:...?@;...+@+..%@:...?@;...+@+....:+*%#@$..%@:...,@$.;@?....,@%........%@,.$@@@$*,........;@?....,@%..%@,.$@@@$*,.....:+*%#@$..%@,....%@;.$@,:@@@@@@@@@:;@?....,@%..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
......,@@@@@@@@@;........,%@@@@@+..+@+...:$@@@@@@$..%@,..........$@,...............#@........%@,....@$.;@@@@@@@@@;...;@@;....+@+.........+@+..;@*.....*@+.......:$@@@@@@$........%@,....@$..:$@@@@@@$..%@,...?@;...+@+.;@@@@@@@@@;.......%@,...?@;...+@+.;@@@@@@@@@;.:$@@@@@@$..%@,....@$..,%@@@@@+........+@+...%@,....@$..:$@@@@@@$..+@+.........+@+...%@,....@$.;@@@@@@@@@;......:@%.......;@*.....*@+.%@,...?@;...+@+..%@,...?@;...+@+..:$@@@@@@$..%@,....@$.;@?.....@%........%@,.,%@@@@@+.......;@?.....@%..%@,.,%@@@@@+..:$@@@@@@$..%@.....?@;.$@,;@@@@@@@@@;;@?.....@%..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
......+@@@@@@@@@%..........,+%#@@,.+@+...#@#?*;:@$..%@,..........%@,...............@#........%@,....@$.:@%..........,#@@#,...+@+.........+@+..;@?.....?@;.......#@#?*;:@$........%@,....@$..#@#?*;:@$..%@,...?@;...+@+.:@%...............%@,...?@;...+@+.:@%.........#@#?*;:@$..%@,....@$....,+%#@@,.......+@+...%@,....@$..#@#?*;:@$..+@+.........+@+...%@,....@$.:@%..............:@$.......;@?.....?@;.%@,...?@;...+@+..%@,...?@;...+@+..#@#?*;:@$..%@,....@$.;@%....,@%........%@,...,+%#@@,......;@%....,@%..%@,...,+%#@@,.#@#?*;:@$..%@,....%@:.$@,:@%........;@%....,@%..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
......$@+.....;@@,.............$@:.+@+..;@$....+@$..%@,..........?@:..............,@$........%@,....@$.,@@,.........?@?%@?...+@+.........+@+..,@@,...,#@,......;@$....+@$........%@,....@$.;@$....+@$..%@,...?@;...+@+.,@@,..............%@,...?@;...+@+.,@@,.......;@$....+@$..%@,....@$........$@:.......+@+...%@,....@$.;@$....+@$..+@+.........+@+...%@,....@$.,@@,..............@@,...,@%,@@,...,#@,.%@,...?@;...+@+..%@,...?@;...+@+.;@$....+@$..%@,....@$.,@@,...+@%........%@,.......$@:......,@@,...+@%..%@,.......$@:;@$....+@$..%@;...,@@,.$@,,@@,.......,@@,...+@%..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
.....:@@,......#@+......:@$:,,;#@,.+@?..:@#:,,*@@$..%@,..........*@+..............:@?........%@,....@$..%@$;,,+@@,.:@#,,#@;..+@?.........+@?...%@$:,:$@$.......:@#:,,*@@$........%@,....@$.:@#:,,*@@$..%@,...?@;...+@+..%@$;,,+@@,.......%@,...?@;...+@+..%@$;,,+@@,:@#:,,*@@$..%@,....@$.:@$:,,;#@,.......+@?...%@,....@$.:@#:,,*@@$..+@?.........+@?...%@,....@$..%@$;,,+@@,.......%@$:,:$@+.%@$:,:$@$..%@,...?@;...+@+..%@,...?@;...+@+.:@#:,,*@@$..%@,....@$..%@$:,+@@%........%@,:@$:,,;#@,.......%@$:,+@@%..%@,:@$:,,;#@,:@#:,,*@@$..%@@;,:$@%..$@,.%@$;,,+@@,.%@$:,+@@%..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
.....*@?.......+@$.......%@@@@@@?..;@@@:.$@@@@@@@@..%@,..........:@?..............*@+........%@,....@$..,#@@@@@@+.,#@;..;@#,.;@@@:.......;@@@:.:#@@@@@@:........$@@@@@@@@........%@,....@$..$@@@@@@@@..%@,...?@;...+@+..,#@@@@@@+........%@,...?@;...+@+..,#@@@@@@+..$@@@@@@@@..%@,....@$..%@@@@@@?........;@@@:.%@,....@$..$@@@@@@@@..;@@@:.......;@@@:.%@,....@$..,#@@@@@@+........,#@@@@@%..:#@@@@@@:..%@,...?@;...+@+..%@,...?@;...+@+..$@@@@@@@@..%@,....@$..,#@@@@%@%........%@,.%@@@@@@?........,#@@@@%@%..%@,.%@@@@@@?..$@@@@@@@@..%@%@@@@#,..$@,.,#@@@@@@+..,#@@@@%@%..:@#.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
.....#@:.......,@@:......,*#@@$+....?@@;.,%#@#%;$@:.%@,...........##..............%@,........%@,....@$...,?#@@$;..?@%....%@?..?@@;........?@@;..,?#@#?,.........,%#@#%;$@:.......%@,....@$..,%#@#%;$@:.%@,...?@;...+@+...,?#@@$;.........%@,...?@;...+@+...,?#@@$;...,%#@#%;$@:.%@,....@$..,*#@@$+..........?@@;.%@,....@$..,%#@#%;$@:..?@@;........?@@;.%@,....@$...,?#@@$;..........,?#@#?,...,?#@#?,...%@,...?@;...+@+..%@,...?@;...+@+..,%#@#%;$@:.%@,....@$...,%@@%,@%........%@,.,*#@@$+..........,%@@%,@%..%@,.,*#@@$+...,%#@#%;$@:.%@,%@@%,...$@,..,?#@@$;....,%@@%,@%..:@#.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
..................................................................+@;............,@?....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
...................................................................#%............*@,....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
...................................................................+@:..........,@*.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
....................................................................%%..........?$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

得られた*を用いてecho *を表す文字列を作成し、コマンドを実行した。

I created a string to express echo * using the * obtained and executed the command.

echo *を表す文字列 / A string to express echo *
................................................................
................................................................
................................................................
.........................%@,.............................#?.....
.........................%@,...........................;.$*,;...
.........................%@,..........................;@##$@@...
.........................%@,...........................:?@@+:...
.....,?#@#?,....,?#@#*...%@,*#@$;....,?#@#?,...........,#?#%....
....,#@@@@@#,..,#@@@@@?..%@%@@@@@:..,#@@@@@#:..........;$,;$,...
....?@%:,:?@%..?@$;,;#@:.%@@+,:$@?..%@$:,:$@$...................
...,@#.....$@,.@@,...;@*.%@+...:@$.,@@,...,#@:..................
...:@@@@@@@@@::@$........%@:....@$.;@?.....?@;..................
...;@@@@@@@@@;:@%........%@,....@$.;@*.....*@+..................
...:@%........:@$........%@,....@$.;@?.....?@;..................
...,@@,........@@,...,@%.%@,....@$.,@@,...,#@,..................
....%@$;,,+@@,.%@$:,:$@+.%@,....@$..%@$:,:$@$...................
....,#@@@@@@+..,#@@@@@%..%@,....@$..:#@@@@@@:...................
.....,?#@@$;....,?#@#?,..%@,....@$...,?#@#?,....................
................................................................
................................................................
................................................................
.

サーバの応答 / The response from the server
............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
..........$@$.............%@,............$@,........::....::....+#@#:.......+#@#:$@,..............................::..............::..........::.......................................:%#@@%:..............................................................................................................................................................................................................................................................................................................................................................
.........,@@@,............%@,............$@,.......;@+...;@+...,@@@@,......,@@@@,$@,.............................;@+.............;@+.........;@+......................................:@@@@@@@:.............................................................................................................................................................................................................................................................................................................................................................
.........*@$@*...........................$@,.......+@+...+@+...;@$,,.......;@$,,.$@,.............................+@+.............+@+.........+@+......................................%@%:,:$@%.............................................................................................................................................................................................................................................................................................................................................................
.........#@:@#...........................$@,.......+@+...+@+...;@*.........;@*...$@,.............................+@+.............+@+.........+@+......................................@#....,@@.............................................................................................................................................................................................................................................................................................................................................................
........:@$.$@;....%#:#@%.%@,..;%#@@$+...$@,......%@@@@:%@@@@:#@@@@?......#@@@@?.$@,..;%#@@$+....:%@@%,#$.......%@@@@:;@#,...$@;%@@@@:......%@@@@:..,?#@#?,...%#:#@%.%#,?@@%,.*#@$:..........$@........%@,?@@%:..*@+....,@%.................................................................................................................................................................................................................................................................................................................................
........?@*.+@%....%##@@?.%@,.;@@@@@@@;..$@,......%@@@@:%@@@@:#@@@@?......#@@@@?.$@,.;@@@@@@@;..:@@@@@$#$.......%@@@@:.?@*..+@?.%@@@@:......%@@@@:.,#@@@@@#,..%##@@?.%#%@@@@?*@@@@#,........,@#........%@%@@@@@:.,@$....*@;.................................................................................................................................................................................................................................................................................................................................
........@@,.,@@,...%@#:...%@,.$@+,.:?@%..$@,.......+@+...+@+...;@*.........;@*...$@,.$@+,.:?@%..%@$:,+@@$........+@+...,#@,,@#,..+@+.........+@+...?@%:,:?@%..%@#:...%@@;,;@@@+,:#@;........?@+........%@@+,:$@%..$@,...$@..................................................................................................................................................................................................................................................................................................................................
.......;@%...%@*...%@+....%@,.......,@$..$@,.......+@+...+@+...;@*.........;@*...$@,.......,@$.,@#,...+@$........+@+....;@%$@;...+@+.........+@+..,@#.....$@,.%@+....%@+...%@?...*@+.......*@$.........%@*...,#@,.+@*..,@?..................................................................................................................................................................................................................................................................................................................................
.......%@;...;@#...%@:....%@,...:+*%#@$..$@,.......+@+...+@+...;@*.........;@*...$@,...:+*%#@$.;@?.....@$........+@+.....?@@?....+@+.........+@+..:@@@@@@@@@:.%@:....%@:...?@;...+@+......*@$,.........%@,....?@;.,@#..*@;..................................................................................................................................................................................................................................................................................................................................
......,@@@@@@@@@;..%@,....%@,.:$@@@@@@$..$@,.......+@+...+@+...;@*.........;@*...$@,.:$@@@@@@$.+@*.....#$........+@+.....;@@;....+@+.........+@+..;@@@@@@@@@;.%@,....%@,...?@;...+@+.....?@$,..........%@.....*@;..%@:.$#...................................................................................................................................................................................................................................................................................................................................
......+@@@@@@@@@%..%@,....%@,.#@#?*;:@$..$@,.......+@+...+@+...;@*.........;@*...$@,.#@#?*;:@$.;@?.....@$........+@+....,#@@#,...+@+.........+@+..:@%.........%@,....%@,...?@;...+@+...,%@?............%@,....%@;..;@*,@?...................................................................................................................................................................................................................................................................................................................................
......$@+.....;@@,.%@,....%@,;@$....+@$..$@,.......+@+...+@+...;@*.........;@*...$@,;@$....+@$.,@#,...+@$........+@+....?@?%@?...+@+.........+@+..,@@,........%@,....%@,...?@;...+@+...$@*.............%@+...,#@,...##*@:...................................................................................................................................................................................................................................................................................................................................
.....:@@,......#@+.%@,....%@,:@#:,,*@@$..$@,.......+@?...+@?...;@*.........;@*...$@,:@#:,,*@@$..$@%:,+@@$........+@?...:@#,,#@;..+@?.........+@?...%@$;,,+@@,.%@,....%@,...?@;...+@+..?@*..............%@@+,:$@%....*@@#....................................................................................................................................................................................................................................................................................................................................
.....*@?.......+@$.%@,....%@,.$@@@@@@@@..$@,.:@#...;@@@:.;@@@:.;@*.........;@*...$@,.$@@@@@@@@..:@@@@@@@$..:@#...;@@@:,#@;..;@#,.;@@@:.......;@@@:.,#@@@@@@+..%@,....%@,...?@;...+@+.,@@@@@@@@@,.:@#...%@$@@@@#,....,@@*....................................................................................................................................................................................................................................................................................................................................
.....#@:.......,@@:%@,....%@,.,%#@#%;$@:.$@,.:@#....?@@;..?@@;.;@*.........;@*...$@,.,%#@#%;$@:..:%@@$;@$..:@#....?@@;?@%....%@?..?@@;........?@@;..,?#@@$;...%@,....%@,...?@;...+@+.;@@@@@@@@@,.:@#...%@:%@#?,......#@:....................................................................................................................................................................................................................................................................................................................................
......................................................................................................:@%..............................................................................................%@,..........,@$.....................................................................................................................................................................................................................................................................................................................................
................................................................................................@@;,,:$@+..............................................................................................%@,........,,%@+.....................................................................................................................................................................................................................................................................................................................................
................................................................................................?@@@@@@$...............................................................................................%@,........#@@#......................................................................................................................................................................................................................................................................................................................................
.................................................................................................*$@@#*,...............................................................................................%@,........%@$,......................................................................................................................................................................................................................................................................................................................................
............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

(一部の.のみの行は省略した / Some .-only lines are omitted)

flag.txtがあることがわかったので、文字列のこの部分をコピペし、cat flag.txtコマンドにより出力させた。

I found that there is flag.txt, so I copy-and-pasted this part of the string and had the server print the contents via cat flag.txt command.

cat flag.txtを表す文字列 / A string to express cat flag.txt
................................................................................................................
................................................................................................................
................................::................+#@#:$@,..............................::..............::......
...............................;@+...............,@@@@,$@,.............................;@+.............;@+......
...............................+@+...............;@$,,.$@,.............................+@+.............+@+......
...............................+@+...............;@*...$@,.............................+@+.............+@+......
....,?#@#*........;%#@@$+.....%@@@@:............#@@@@?.$@,..;%#@@$+....:%@@%,#$.......%@@@@:;@#,...$@;%@@@@:....
...,#@@@@@?......;@@@@@@@;....%@@@@:............#@@@@?.$@,.;@@@@@@@;..:@@@@@$#$.......%@@@@:.?@*..+@?.%@@@@:....
...?@$;,;#@:.....$@+,.:?@%.....+@+...............;@*...$@,.$@+,.:?@%..%@$:,+@@$........+@+...,#@,,@#,..+@+......
...@@,...;@*...........,@$.....+@+...............;@*...$@,.......,@$.,@#,...+@$........+@+....;@%$@;...+@+......
..:@$..............:+*%#@$.....+@+...............;@*...$@,...:+*%#@$.;@?.....@$........+@+.....?@@?....+@+......
..:@%............:$@@@@@@$.....+@+...............;@*...$@,.:$@@@@@@$.+@*.....#$........+@+.....;@@;....+@+......
..:@$............#@#?*;:@$.....+@+...............;@*...$@,.#@#?*;:@$.;@?.....@$........+@+....,#@@#,...+@+......
...@@,...,@%....;@$....+@$.....+@+...............;@*...$@,;@$....+@$.,@#,...+@$........+@+....?@?%@?...+@+......
...%@$:,:$@+....:@#:,,*@@$.....+@?...............;@*...$@,:@#:,,*@@$..$@%:,+@@$........+@?...:@#,,#@;..+@?......
...,#@@@@@%......$@@@@@@@@.....;@@@:.............;@*...$@,.$@@@@@@@@..:@@@@@@@$..:@#...;@@@:,#@;..;@#,.;@@@:....
....,?#@#?,......,%#@#%;$@:.....?@@;.............;@*...$@,.,%#@#%;$@:..:%@@$;@$..:@#....?@@;?@%....%@?..?@@;....
............................................................................:@%.................................
......................................................................@@;,,:$@+.................................
......................................................................?@@@@@@$..................................
.......................................................................*$@@#*,..................................
................................................................................................................
................................................................................................................
.

サーバの応答 / The response from the server
........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
..........................%@,...............%@,.......................+#@;?@@@@@@@@@@#..,?@@#*.....?@@@@@@%...?@@@@@@%...,?@@#*....*@@@@@@@#%:........?@;......:?#@@$+...,@@@@@@@@@;................,@*.....?@@@@@@%................:*$@@#%;......,*#@#*.....,*#@#*....*@@@@@@#?:...?@$:................................................................................................................................................................................................................................................
..........................%@,...............%@,......................,@@@;?@@@@@@@@@@#.,#@@@@@%....$@@@@@@%...$@@@@@@%..,#@@@@@%...*@@@@@@@@@@:......:@@;.....?@@@@@@@%..,@@@@@@@@@:...............,$@*.....$@@@@@@%...............+@@@@@@@@?.....%@@@@@%....%@@@@@%...*@@@@@@@@@;..?@@$................................................................................................................................................................................................................................................
..........................%@,........................................+@?,......#@,.....*@%:,;@@;...@#.........@#........*@%:,;@@;..*@*....,;$@$.....,#@@;....*@@*:,,+@@?........*@?...............,$@@*.....@#....................;@@%;,,:*@@+...;@#;,;#@;..;@#;,;#@;..*@*...,:%@@:..,#@................................................................................................................................................................................................................................................
..........................%@,........................................*@;.......#@,.....#@,...+@*..,@%........,@%........#@,...+@*..*@*......,@@.....*@$@;...:@@;.....:@@,......:@$...............+@@$@*....,@%...................,@@*......;@$...%@;...;@%..%@;...;@%..*@*......%@%...?@,...............................................................................................................................................................................................................................................
.......,?#@#*..*@+....,@%.%@,?@@%:...%#:#@%.%@,..,?#@#*....*#@@$;....*@;.......#@,...........*@+..;@*........;@*..............*@+..*@*......,@@....:@??@;...?@?.......?%:......$@;...............##;;@*....;@*...................+@$........?*...@@.....@@..@@.....@@..*@*......,@@...?@,...............................................................................................................................................................................................................................................
......,#@@@@@?.,@$....*@;.%@%@@@@@:..%##@@?.%@,.,#@@@@@?..?@@@@@@;...*@:.......#@,.........,+@#,..*@*%@@%:...*@*%@@%:.......,+@#,..*@*....,;$@%....$#,?@;...$@:...............+@%................;..;@*....*@*%@@%:..............%@+............,@$.....$@,,@$.....$@,.*@*.......$@:..?@:...............................................................................................................................................................................................................................................
......?@$;,;#@:.$@,...$@..%@@+,:$@%..%@#:...%@,.?@$;,;#@:,@#:,,+@$...?@:.......#@,........?@@#:...?@@@@@@@:..?@@@@@@@:.....?@@#:...*@@@@@@@@@@:...*@;.?@;...@@,...............#@:...................;@*....?@@@@@@@:.............#@,............,@%.....%@:,@%.....%@:.*@*.......%@;..*@;...............................................................................................................................................................................................................................................
......@@,...;@*.+@*..,@?..%@+...,@@,.%@+....%@,.@@,...;@*,@#;.......;@#........#@,........?#@@#:..$@*,,:$@#..$@*,,:$@#.....?#@@#:..*@@@@@@@#?:...:@%..?@;...@@...............;@%....................;@*....$@*,,:$@#.............@@,....$@@@@@;.:@%.....%@::@%.....%@:.*@*.......?@+..:@$:..............................................................................................................................................................................................................................................
.....:@$........,@#..*@;..%@,....%@;.%@:....%@,:@$........$@@@$*,..*@#:........#@,..........,?@$........,#@:.......,#@:......,?@$..*@*..,?@%,....$#,..?@;...#@,..............%@;....................;@*..........,#@:............#@,....$@@@@@;.:@%.....%@,:@%.....%@,.*@*.......%@;...+@@,.............................................................................................................................................................................................................................................
.....:@%.........%@:.$#...%@.....?@;.%@,....%@,:@%........,%@@@@@+.*@$:........#@,............#@,........%@;........%@;........#@,.*@*....?@%...*@;...?@;...$@;.......:;,...,@#.....................;@*...........%@;............$@;........?@;.,@$.....$@,,@$.....$@,.*@*.......#@:...+@@,.............................................................................................................................................................................................................................................
.....:@$.........;@*,@?...%@,....%@:.%@,....%@,:@$..........,+%#@@,.;@$........#@,............$@:........%@;........%@;........$@:.*@*....,#@*..$@@@@@@@@@:.*@?.......?@*...;@?.....................;@*...........%@;............+@%........?@;..@@.....@@..@@.....@@..*@*......,@@...,@#:..............................................................................................................................................................................................................................................
......@@,...,@%...##*@:...%@;...,@@,.%@,....%@,.@@,...,@%.......$@:..%@,.......#@,....,@#....,@@,,@#....,@@,,@#....,@@,,@#....,@@,.*@*.....;@@:.$@@@@@@@@@:.:@@:.....;@@:...?@;.....................;@*...,@#....,@@,............,@@*.......%@;..%@;...;@%..%@;...;@%..*@*......%@?...+@;...............................................................................................................................................................................................................................................
......%@$:,:$@+...*@@#....%@@;,:$@%..%@,....%@,.%@$:,:$@+:@$:,,;#@,..*@:.......#@,.....$@%:,;$@%..$@%:,;$@%..$@%:,;$@%..$@%:,;$@%..*@*......%@%.......?@;....?@@*:,:*@@?....$@,.....................;@*....$@%:,;$@%..............;@@%;,,:+#@@;..;@#;,;#@;..;@#;,;#@;..*@*...,;%@@:...?@:...............................................................................................................................................................................................................................................
......,#@@@@@%....,@@*....%@%@@@@#,..%@,....%@,.,#@@@@@%..%@@@@@@?...*@;.......#@,.....:@@@@@@#,..:@@@@@@#,..:@@@@@@#,..:@@@@@@#,..*@*......,@@;......?@;.....%@@@@@@@%,....@@......................;@*....:@@@@@@#,...............+@@@@@@@@#;....%@@@@@%....%@@@@@%...*@@@@@@@@@;....?@,...............................................................................................................................................................................................................................................
.......,?#@#?,.....#@:....%@,%@@%,...%@,....%@,..,?#@#?,..,*#@@$+....*@;.......#@,......:%@@#?,....:%@@#?,....:%@@#?,....:%@@#?,...*@*.......*@#,.....?@;......;%#@@$+......@#......................;@*.....:%@@#?,.................,*$@@#%+......,*#@#*,....,*#@#*,...*@@@@@@#?:.....?@,...............................................................................................................................................................................................................................................
..................,@$................................................+@;..............................................................................................................................................................................................................?@,...............................................................................................................................................................................................................................................
................,,%@+................................................;@?,............................................................................................................................................................................................................,#@................................................................................................................................................................................................................................................
................#@@#.................................................,@@@;.........................................................................................................;@@@@@@@@@@@+....................;@@@@@@@@@@@+...................................................?@@%................................................................................................................................................................................................................................................
................%@$,..................................................+#@;.........................................................................................................;@@@@@@@@@@@+....................;@@@@@@@@@@@+...................................................?@$,................................................................................................................................................................................................................................................
........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

(一部の.のみの行は省略した / Some .-only lines are omitted)

flagが得られた。

I obtained the flag.

cybrics{T3553R4C7_15_G00D}

Listing (Reverse)

x86-64アセンブリのソースコードlisting.asmが与えられた。
また、問題文より[rdi]に入れる入力データが求められていることがわかる。

An x86-64 assembly source code listing.asm was given.
Also the task description said that we should answer what should be put to [rdi].

listing.asmは、以下の処理をしていた。

  1. VPXORを用いて、入力に8バイトのデータの繰り返しをxorする
  2. VPSHUFBと8バイトのデータ4個を用いて、1で得られたデータを加工する
  3. VPCMPEQQを用いて、2で得られたデータと決められたデータを比較する
  4. 3の比較の結果、全部一致していれば1、そうでなければ0を返す

This process is performed in listing.asm:

  1. Calculate exclusive-or of the input data and repeated 8-byte data via VPXOR.
  2. Manipulate data from 1 via VPSHUFB and four 8-byte data.
  3. Compare data from 2 and defined data via VPCMPEQQ.
  4. If the data are all same, return 1. Otherwise, return 0.

まず、VPSHUFBによってデータがどう変化するかを調べるため、以下のプログラムを実行した。

Firstly, to determine how VPSHUFB manipulates data, I executed this program:

vpshufb_test.c
vpshufb_test.c
#include <stdio.h>
#include <inttypes.h>

int main(void) {
    char data[32] = "0123456789abcdefghijklmnopqrstuv";
    char data_out[32] = "";
    uint64_t data_place[4] = {
        UINT64_C(0x19181b1a1c1d1f1e),
        UINT64_C(0x1110131215141716),
        UINT64_C(0x09080b0a0c0d0f0e),
        UINT64_C(0x0100030205040706),
    };
    __asm__ __volatile__ (
        "vmovdqu %1, %%ymm0\n\t"
        "vmovdqu %2, %%ymm1\n\t"
        "vpshufb %%ymm1, %%ymm0, %%ymm2\n\t"
        "vmovdqu %%ymm2, %0\n\t"
    : "=m"(data_out) : "m"(data), "m"(data_place) : "memory");
    printf("%.32s\n", data_out);
    return 0;
}

実験の結果、今回のVPSHUFBは、
0123456789abcdefghijklmnopqrstuvefdcab8967452301uvtsqropmnklijgh に変換することがわかった。
さらに、CyberChefで比較対象の「決められたデータ」を1バイトずつの列に変換した。
この「決められたデータ」のバイト列は以下のものである。

As a result, it is revealed that VPSHUFB used here
converts 0123456789abcdefghijklmnopqrstuv to efdcab8967452301uvtsqropmnklijgh.
Also, I extracted each bytes of the "defined data" to compare via CyberChef.
This is the bytes of the "defined data":

f8 cb 61 31 71 22 d6 d5 b9 85 6c 33 27 61 d3 c9 f8 83 65 35 27 23 d5 d5 ab 9a 61 35 23 76 d3 d1

これに基づき、VPSHUFBで加工をする前のデータを手動で求めた。
変換結果はほぼ2バイトずつ順番を保っているが、cdではなくdcstではなくtsを含むことに注意すると吉である。
結果は以下である。

Based on this, I manually determined the input data for VPSHUFB.
The order of most of each 2 bytes are preserved, but it is worth noting that the conversion result contains dc, not cd, and ts, not st.
This is the input data:

d3 c9 27 61 6c 33 b9 85 d6 d5 71 22 31 61 f8 cb d3 d1 23 76 61 35 ab 9a d5 d5 27 23 35 65 f8 83

最後に、このデータに最初のVPXORの効果を打ち消すためのxorをCyberChefでかけた。
x86-64はリトルエンディアンであり、数値表記とバイト列は逆になるため、
入力を一旦反転させてからxorをかけ、また反転させる方法をとった。
その結果、flagが得られた。

Finally, I applied exclusive-or to this data via CyberChef to cancel the effect of the first VPXOR.
Little-endian is used on x86-64 and the order of byte sequence is reversed from the number notation,
so I firstly reversed the input data, then applied exclusive-or, then reversed the result again.
The flag is obtained as a result.

cybrics{fe414125cafedeadeeb0052}

Ad Network (Web)

WebページのURLが与えられた。
ソースを表示して読むと、以下の怪しい部分が見つかった。

An URL of a Web page was given.
Viewing the source, I found this suspicious part:

                <a href="/adnetwork" target="_top" onClick="loadurl(this.href);return false"><img
                            width="440" height="40" border="1" ismap alt="LinkExchange"
                            src="assets/img/adnetwork.gif"></a>

Firefoxでリンク先のURL http://adnetwork-cybrics2021.ctf.su/adnetwork にアクセスしてみると、
アドレスバー上のURLが変化し、「ページの自動転送設定が正しくありません」というエラーが表示された。

Accessing the linked URL http://adnetwork-cybrics2021.ctf.su/adnetwork via Firefox,
the URL in the address bar changed an an error "The page isn't redirecting properly" was shown.

新しいURLへのアクセスも、同様のエラーになった。
20回以上繰り返したが、同様のエラーが出続けた。

I accessed the new URL, seeing the same error.
I repeated this over 20 times, and the error showed up again and again.

そこで、HTTPのリダイレクト先をたどる以下のプログラムを用意し、実行した。

Seeing this, I created this program to follow HTTP redirections and executed that.

request.pl
request.pl
#!/usr/bin/perl

use strict;
use warnings;

use IO::Socket;

sub get_url {
    my $url = $_[0];
    unless ($url =~ /http:\/\/(.*?@)?(.*?)(:.*?)?(\/.*)$/) { return ""; }
    my $host = $2;
    my $port = $3;
    my $path = $4;
    my $req_host;
    if (defined($port)) {
        $port = int(substr($port, 1));
        $req_host = "$host:$port";
    } else {
        $port = 80;
        $req_host = $host;
    }
    my $sock = new IO::Socket::INET(PeerAddr=>$host, PeerPort=>$port, Proto=>"tcp");
    unless ($sock) { die "socket error: $!\n"; }
    binmode($sock);
    print $sock "GET $path HTTP/1.1\r\n";
    print $sock "User-Agent: Perl\r\n";
    print $sock "Host: $req_host\r\n";
    print $sock "Connection: close\r\n";
    print $sock "\r\n";
    my $res = "";
    while (<$sock>) {
        if ($_ =~ /Location: *(.*)\r\n/i) {
            $res = $1;
        }
    }
    close($sock);
    return $res;
}

my $cur_url = "http://adnetwork-cybrics2021.ctf.su/adnetwork";

$| = 1;
print "$cur_url\n";
for (;;) {
    $cur_url = &get_url($cur_url);
    if ($cur_url ne "") {
        print "$cur_url\n";
    } else {
        last;
    }
}

約15分後、実行が完了した。出力の最終行は以下のURLになった。

The execution completed after about 15 minutes. This is the last line of its output:

http://tend.adnetwork-cybrics2021.ctf.su/military-front-low/learn-fill-though-factor-line/hear-hundred-subject-wind/enough-lot-tree-will-color

FirefoxでこのURLにアクセスすることで、flagが得られた。

I obtained the flag by accessing this URL via Firefox.

cybrics{f0lL0w_RUl3Z_F0ll0W_r3d1r3C7z}
1
0
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
1
0