総務省CTF writeup

Last updated at 2023-12-16Posted at 2023-12-16

総務省CTFに参加したので備忘録です。

zo113、150ポイントでチームの中で一番貢献できませんでしたね。

まあでもチームメンバーのおかげで8位を取ることができたので満足。

途中で予定があり抜けたので正直もうちょっと本腰入れたかった。

redacated

初手ghidraで出てきた配列が0x35でxorするとフラグだとコードにより自明なのでpython3でワンライナー。

redacated [reversing]

undefined8 main(void)

{
  long in_FS_OFFSET;
  ulong local_150;
  undefined4 local_148 [60];
  byte local_58 [72];
  long local_10;
  
  local_10 = *(long *)(in_FS_OFFSET + 0x28);
  local_148[0] = 0x73;
  local_148[1] = 0x79;
  local_148[2] = 0x74;
  local_148[3] = 0x72;
  local_148[4] = 0x4e;
  local_148[5] = 0x42;
  local_148[6] = 0x5d;
  local_148[7] = 6;
  local_148[8] = 0x5b;
  local_148[9] = 0x6a;
  local_148[10] = 0x4c;
  local_148[11] = 5;
  local_148[12] = 0x40;
  local_148[13] = 0x6a;
  local_148[14] = 3;
  local_148[15] = 0x54;
  local_148[16] = 0x4f;
  local_148[17] = 0x50;
  local_148[18] = 0x6a;
  local_148[19] = 0x5c;
  local_148[20] = 0x5b;
  local_148[21] = 0x41;
  local_148[22] = 5;
  local_148[23] = 0x6a;
  local_148[24] = 1;
  local_148[25] = 0x5d;
  local_148[26] = 0x50;
  local_148[27] = 0x6a;
  local_148[28] = 0x54;
  local_148[29] = 0x57;
  local_148[30] = 0x4c;
  local_148[31] = 6;
  local_148[32] = 6;
  local_148[33] = 0x6a;
  local_148[34] = 1;
  local_148[35] = 0x5d;
  local_148[36] = 0x50;
  local_148[37] = 0x6a;
  local_148[38] = 1;
  local_148[39] = 0x57;
  local_148[40] = 0x4c;
  local_148[41] = 6;
  local_148[42] = 0x46;
  local_148[43] = 0x6a;
  local_148[44] = 0x52;
  local_148[45] = 1;
  local_148[46] = 0x4f;
  local_148[47] = 0x50;
  local_148[48] = 0x46;
  local_148[49] = 0x6a;
  local_148[50] = 4;
  local_148[51] = 0x5b;
  local_148[52] = 0x41;
  local_148[53] = 5;
  local_148[54] = 0x6a;
  local_148[55] = 0x4c;
  local_148[56] = 5;
  local_148[57] = 0x40;
  local_148[58] = 0x48;
  local_148[59] = 0x35;
  for (local_150 = 0; local_150 < 0x3c; local_150 = local_150 + 1) {
    local_58[local_150] = (byte)local_148[local_150] ^ 0x35;
  }
  printf("%s",local_58);
  puts(&DAT_00102010);
  if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) {
                    /* WARNING: Subroutine does not return */
    __stack_chk_fail();
  }
  return 0;
}

ソルバーをpython3で


[print(x,end='') for x in list(map(lambda x: chr(x^0x35),[115, 121, 116, 114, 78, 66, 93, 6, 91, 106, 76, 5, 64, 106, 3, 84, 79, 80, 106, 92, 91, 65, 5, 106, 1, 93, 80, 106, 84, 87, 76, 6, 6, 106, 1, 93, 80, 106, 1, 87, 76, 6, 70, 106, 82, 1, 79, 80, 70, 106, 4, 91, 65, 5, 106, 76, 5, 64, 72, 53]))]

gitty [misc]

gitレポジトリが渡されるのでgit diff HEAD^^^^^とか適当に遡ったら削除されたフラグが見つかる

感想

とても楽しかったです。

後輩とか巻き込んでTKCTF-clubを引き継がせて完走した感想を書かせたいですね。

うちの部のメンバーによるwriteup達
https://twitter.com/TKCTF_talker/status/1735983762075525219

You get articles that match your needs
You can efficiently read back useful information
You can use dark theme

What you can do with signing up