iwasiblog

イワシブログ - Activity log of an iwasi -

SECCON 2019 Online CTF Writeup

SECCON 2019 Online CTFに参加したので、解いた問題のwriteup.

大会概要

  • Time: 2019/10/19 6:00 (UTC) ~ 2019/10/20 6:00 (UTC)
  • Style: Jeopardy (Dynamic Scoring)

Agenda (得点は競技終了時のもの)

  • Welcome (misc 50pts)
  • Thank you for playing! (misc 50pts)
  • Beeeeeeeeeer (misc 110pts)
  • Sandstorm (misc 279 pts)
  • coffee_break (crypt 56pts)

Welcome (misc 50pts)

Q

Welcome to the SECCON CTF.

Read rules and check the IRC topic.

A

IRCに入ると書いてある.

FLAG

SECCON{Welcome to the SECCON 2019 Online CTF}

Thank you for playing! (misc 50pts)

Q

SECCON{We have done all the challenges. Thank you!}

A

そのまま

FLAG

SECCON{We have done all the challenges. Thank you!}

Beeeeeeeeeer (misc 110pts)

Q

Let's decode!

A

難読化されたシェルスクリプトを解読する.
難読化を解いて不要な部分を除いた最終的な状態は以下の通りである.

export S1="hogefuga"
echo -ne '\a';
sleep 1;
echo -ne '\a';
sleep 1;
echo -ne '\a';
sleep 1;
echo "How many beeps?";
read  n </dev/tty;
export n;
echo 'Enter the password'
: password is bash
read PASSWORD </dev/tty;
echo $(echo -n $PASSWORD|md5sum|cut -d" " -f1) | grep -q "d574d4bb40c84861791a694a999cce69"&& echo "Good Job!"&&printf "\n\033[?7l%1024s" " "&&echo SECCON{$S1$n$PASSWORD};
echo -e '\033[?7h';

実行し,問いにそれぞれ3bashと答えるとFLAG.

FLAG

SECCON{hogefuga3bash}

Sandstorm (misc 279 pts)

Q

I've received a letter... Uh, Mr. Smith?

f:id:kuroiwasi:20191020164622p:plain
sandstorm.png

A

画像中の文章からAdam ->PNGインターレース方式であるAdam7の連想をする.
以下のコード(Processing)を実行してQRコードを入手.デコードするとFLAG.

PImage img;
int level = 1;
  
void setup()
{
  surface.setResizable(true);
  img = loadImage("sandstorm.png");
  surface.setSize(img.width/8 * level, img.height/8 * level);
}

void draw()
{
  for(int y=0; y<height; y++)
  {
    for(int x=0; x<width; x++)
    {
      color c = img.get(x*(9-level),y*(9-level));
      set(x,y,c);
    }
  }
  save("result.png");
  noLoop();
}
取り出されたQRコード
取り出されたQRコード

FLAG

SECCON{p0nlMpzlCQ5AHol6}

coffee_break (crypt 56pts)

Q

The program "encrypt.py" gets one string argument and outputs ciphertext.

Example:

$ python encrypt.py "test_text"
gYYpbhlXwuM59PtV1qctnQ==
The following text is ciphertext with "encrypt.py".

FyRyZNBO2MG6ncd3hEkC/yeYKUseI/CxYoZiIeV2fe/Jmtwx+WbWmU1gtMX9m905

A

暗号化用のスクリプトと暗号が渡される.
逆向きに処理する関数を書いて復号すればFLAG.

import sys
from Crypto.Cipher import AES
import base64

def decrypt(key, text):
	s = ''
	for i in range(len(text)):
		c = ord(text[i]) - 0x20
		if c < 0x33:
			c += 0x5f
		c -= (ord(key[i % 6]) - 0x20)
		c += 0x20
		s += chr(c)
	return s

key1 = "SECCON"
key2 = "seccon2019"
enc3 = "FyRyZNBO2MG6ncd3hEkC/yeYKUseI/CxYoZiIeV2fe/Jmtwx+WbWmU1gtMX9m905"

cipher = AES.new(key2 + chr(0x00) * (16 - (len(key2) % 16)), AES.MODE_ECB)

dec1 = base64.b64decode(enc3)
dec2 = cipher.decrypt(dec1)
dec3 = decrypt(key1, dec2[0:len(dec2) - ord(dec2[-1])])
print(dec3)

FLAG

SECCON{Success_Decryption_Yeah_Yeah_SECCON}

最終成績

kuroiwasi, 131st place, 545 points
SECCON2019OnlineCTF最終成績