SECCON 2019 Online CTF Writeup

# SECCON 2019 Online CTF Writeup Authors: [賴柏霖](#r08725022)、[曾梓豪](#how123480)、[陳禹媛](#yuyuanhey) ctftime 網址：https://ctftime.org/event/799 隊名：ForHomework~ 因為SECCON Online十月左右舉辦，當時還沒有上到幾堂課，之前也沒有什麼參加CTF的經驗，所以我們抱持輕鬆解的態度去參加。我們沒有特別的分工或是策略，只要有興趣的題目都各自去試試看。最後得到總共解出四題，得到266分，佔第201名。 ###### tags: `SECCON` `2019` `CTF` ## r08725022 * 姓名：賴柏霖 * 學號：r08725022 * Nickname：r08725022 這次跟一起修課的兩位大大參加了seccon的比賽。除了送分題外，基本上只有密碼學第一題有明確的目標。本來想先看前兩周上的reverse，結果丟進去發現x32dbg不能動，然後整個func又看得一頭霧水，就放棄了。後來轉移去解解看web，一開始試到web第一題，opt_cmd，發現他可以用system跑些命令，就很開心想試試看reverse_shell，結果後來怎麼弄都不行，socket都會被關閉。後來查了很多東西，發現這題跟ssrf很符合，就一直嘗試用各式各樣的bypass，但都無法成功。後來就直接往後跳，走search那題，但是用了很多xss的攻擊手法都不行。本來想越權訪問其他目錄，掃描一下，也沒成功。後來我們就去解一些misc，有一題的Beeeeeeeeeer，我覺得非常有趣。就是把中間的東西gunzip出來，再對他做一些處理即可。總之我覺得這是一個很好的體驗，在有時間的壓力下解這種題目感覺讓我收穫不少，我以後也會多精進自己的能力，來追上各位大神的車尾燈。 ## how123480 * 姓名：曾梓豪 * 學號：r08921a07 * Nickname：how123480 ### 已解題目 1. Welcome: 簽到題 2. Thank you for playing：簽退題 3. Beeeeeeeeeer：隊友神解！跪著看！！！ 4. coffee_break：很簡單，跟HW0一樣，就是給你加密演算法，想辦法算出FLAG，可以逆向推出decrypt公式。 ### 未解題目 1. Option-command-U：這是一個簡單可以看html的網站，其實就是訪問flag.php應該就可以看到flag了，但是假如要訪問flag.php他會檢查是否為內網ip，我看好像有人用DNS rebind的方式解，或用url parsing 時導致的不一致繞過檢查。 2. one：印象中是選單題，還好沒花太多時間看，那個時候還不會解heap題。印象中跟lab題一樣？ 3. Crazy repetition of codes：剛開始以為很簡單，每一輪會加密int("1"*10000)次，當初想說會不會其實不用算這麼多次也可以得到一樣結果，暴力去試，結果失敗。 4. ZKPay：本題有點可惜，看了別人的writeup才知道差一點就解掉了，而且這題分數蠻多的。本題利用qrcode轉帳，剛開始每個人都有500元，假如錢到1000000就會顯示flag，用手機解qrcode可以知道username、轉多少錢和proof，我們不知道怎麼算出proof，假如偽造proof轉帳會失敗。假如轉超過500會失敗，我原本是想說可以轉-100000000000……0，看會不會overflow，結果試到一定大小後，錢就變0元了。後來想說找一些加解密算法，看能不能算出proof，結果還是失敗。看了別人writeup，其實只要創兩個帳號，將其中一個轉 -1000000給對方就好了。感覺是一題很不crypto的crypto題。 ## yuyuanhey * 姓名：陳禹媛 * 學號：r08725025 * Nickname：yuyuanhey 我只解出了misc的Beeeeeeeeeer，本題可以分為三個階段： ### Stage 1 After opening the source file, lots of messy codes/symbols are shown. It's apparently a **unix shell executables file**. I appended a line break after each ```;```, and it looks more clear: ![Appending line break symbol after each ";"](https://cdn-images-1.medium.com/max/1600/1*PHwB6go8KlJRidzQWVdC6Q.png) <center>Appending line break symbol after each ";"</center> There are some combinations of symbols looks as Hex code and Unicode, such as ```\x31\x35``` and ```\u0031```. Due to my conjecture, I transform this strings with ASCII code and got some readable unix commands. I didn't use any trick here but manually replace them. After the substitution, there are lots of useless commands, such as ```shutdown```, ```restart```, etc. These commands are unimportant, and the key is **the base64 string** in the middle of this file. ![The most important part in this source file.](https://cdn-images-1.medium.com/max/1600/1*f8lifqamVNv9W3g9CWGsHQ.png) <center>The most important part in this source file.</center> We can find that the base64 string can be decoded and decompressed with the **gunzip** command. After doing the commands, I got a second stage source file. It's worth to mention that there is a variable ```$S1 = "hogefuga"``` exported. ### Stage 2 It's similar with the source code of Stage1 but much shorted than it. After line break and substitution with Hex code and Unicode, we can find that there is also a base64 string in the bottom of this file. However, it seems to be encrypted with **AES256**, and the key is related to the total number of beeps invoked by this shell file. After being confused with the randomized length of sequences in the top of the file, I finally figure out the total number of beeps is actually **only 3** that the top of the randomized number of beeps are unimportant. ![n is actually a constant number 3](https://cdn-images-1.medium.com/max/1600/1*Kj--wM8TcnIiTV-vSjnoUw.png) <center>$n is actually a constant number, 3</center> Therefore, after decoded with base64 string and decrypted with the key ```echo 3 | md5sum | cut -c 2, 3, 5, 12```, I got another source file which is the last stage of this problem. It's worth to mention that there is a variable ```$n = 3``` exported. ### Stage 3 ![The source file in Stage 3](https://cdn-images-1.medium.com/max/1600/1*HXrJ0t_1_COck17jolSlOQ.png) <center>The source file in Stage 3</center> The final file looks weird than the previous files. Apparently, the last unix shell file used another encoded method. Something to be happy about is that the flag is shown below as ```SECCON{$S1$n$_____}```. In the previous shell code, the variable ```$S1``` and ```$n``` were exported. So, the flag is ```SECCON{hogefuga3$_____}```. How to get ```$_____```? Because this is a shell file, every code in it should be interpretable in unix. Therefore, I echo each combination of symbols in the unix terminal, and get the comparative **CHAR**. With this method, I substituted all unknown combinations of symbols, and get the following source file: ![The bash file after decoding.](https://cdn-images-1.medium.com/max/1600/1*ogkrmKavyTtF4W88_RpXsA.png) <center>The bash file after decoding.</center> ### Conclusion The key is that ```password is bash``` which means the ```$_____ = "bash"```. Finally, the flag was gotten: ```SECCON{hogefuga3bash}```. I also tried to solve "sandstorm" and gave up after failing with almost all Steganography skills when the key point of this problem is actually the **Adam7 algorithm**. Although the problems in this contest are so difficult for me, the process of solving problems are very interesting :) ### ## Appendix ### 解出題目： ![These are the problems that we solved](https://i.imgur.com/HcZWADv.png) ![These are the problems that we solved](https://i.imgur.com/ILsrVi9.png) ### 最終分數與排名： ![This is the scoreboard in ctftime](https://cdn-images-1.medium.com/max/1600/1*HFWj63h0dK50KBy5IFbYPA.png) ### 個人得分： ![These is the scoreboard of our team](https://cdn-images-1.medium.com/max/1600/1*wSB5RWOctXvsnWyAEuZQOg.png)