WaniCTF 2024 Write Up === :::info <div style="text-align: center;"> <img src="https://hackmd.io/_uploads/Bk7oXL_8C.png"> <img src="https://hackmd.io/_uploads/BJKoEIdUR.png"> <p style="font-size:20px">RK: 74/1476</p> </div> ::: --- ## MISC ### Cheat Code :::info <div style="text-align: center;"> <img src="https://hackmd.io/_uploads/SyleuUOU0.png"> </div> ```python= from hashlib import sha256 import os from secrets import randbelow from secret import flag, cheat_code import re challenge_times = 100 hash_strength = int(os.environ.get("HASH_STRENGTH", 10000)) def super_strong_hash(s: str) -> bytes: sb = s.encode() for _ in range(hash_strength): sb = sha256(sb).digest() return sb cheat_code_hash = super_strong_hash(cheat_code) print(f"hash of cheat code: {cheat_code_hash.hex()}") print("If you know the cheat code, you will always be accepted!") secret_number = randbelow(10**10) secret_code = f"{secret_number:010d}" print(secret_code) print(f"Find the secret code of 10 digits in {challenge_times} challenges!") def check_code(given_secret_code, given_cheat_code): def check_cheat_code(given_cheat_code): return super_strong_hash(given_cheat_code) == cheat_code_hash digit_is_correct = [] for i in range(10): digit_is_correct.append(given_secret_code[i] == secret_code[i] or check_cheat_code(given_cheat_code)) return all(digit_is_correct) given_cheat_code = input("Enter the cheat code: ") if len(given_cheat_code) > 50: print("Too long!") exit(1) for i in range(challenge_times): print(f"=====Challenge {i+1:03d}=====") given_secret_code = input("Enter the secret code: ") if not re.match(r"^\d{10}$", given_secret_code): print("Wrong format!") exit(1) if check_code(given_secret_code, given_cheat_code): print("Correct!") print(flag) exit(0) else: print("Wrong!") print("Game over!") ``` ::: :::success 這題一開始我以為真的是要猜`cheat_code_hash`但是怎麼可能 看到hash做10000次真的很怪🤔 跑看看時間 <div style="text-align: center;"> <img src="https://hackmd.io/_uploads/rk7MTIOIC.png"> <p>很明顯有一個時間短一點點</p> </div> ```python= from pwn import remote, process from time import time import sys io = ( process(["python3", "./server.py"]) if len(sys.argv) == 1 else remote("chal-lz56g6.wanictf.org", 5000) if sys.argv[1] == "remote" else (print("Invalid argument") or sys.exit(1)) ) print(io.recvline()) print(io.recvline()) print(io.recvline()) print(io.recv()) io.sendline(b"A") ans = b"" for i in range(10)[::-1]: min_t = 10 ch = b"" for j in range(10): s = io.recvline() print(s) if b"Correct" in s or b"FLAG" in s: exit() io.sendline(ans + str(j).encode() + b"0" * i) a = time() print(io.recvline()) t = time() - a print(t) if t < min_t: min_t = t ch = str(j).encode() ans += ch ``` FLAG{t1m!ng_a774ck_1s_f34rfu1} ::: ## Forensics ### Surveillance_of_sus :::info <div style="text-align: center;"> <img src="https://hackmd.io/_uploads/H1NJ_I_L0.png"> <img src="https://hackmd.io/_uploads/B1pxeDuLR.png"> <p>很明顯是RDP然後開始找工具</p> </div> ::: :::success https://github.com/ANSSI-FR/bmc-tools <div style="text-align: center;"> <img src="https://hackmd.io/_uploads/Bkqw-PdLC.png"> <p>不管直接目測</p> </div> FLAG{RDP_is_useful_yipeeee} ::: ### I_wanna_be_a_streamer :::info <div style="text-align: center;"> <img src="https://hackmd.io/_uploads/Byq1u8OU0.png"> </div> ::: :::success <div style="text-align: center;"> <img src="https://hackmd.io/_uploads/HkOc8TsIC.png"> <p>而且WrieShark還有Bug==我在寫Write Up的時候一直沒辦法轉成H264</br> 結果是要先設成其他Type再設成96才會Decode</p> </div> 最後用<a href="https://github.com/volvet/h264extractor">Plugun</a>提取出來 <div style="text-align: center;"> <img src="https://hackmd.io/_uploads/SJKPCps8R.jpg"> </div> ::: ### mem_search(賽後解) :::info <div style="text-align: center;"> <img src="https://hackmd.io/_uploads/H1MldIOIA.png"> </div> ::: :::success <div style="text-align: center;"> <img src="https://hackmd.io/_uploads/rJK_PRjLC.png"> <img src="https://hackmd.io/_uploads/ByTOvRsIR.png"> <img src="https://hackmd.io/_uploads/rkbFv0j8C.png"> <img src="https://hackmd.io/_uploads/Hk4Yw0oU0.png"> 在打的當下沒有想到要找特定的資料夾我還去翻Process==</br> 到底在幹嘛RR</br> 所以我沒有解出來 <img src="https://cdn.7tv.app/emote/60b1517fdb601b4ac8ed7916/4x.webp", width="5%"> </div> ::: :::danger <div style="text-align: center;"> 我覺得滿好玩的，Write Up只有寫我沒有打過的類型當作紀錄</br>Reverse除了JS都解完了我覺的還可以</br>(不過滿意外Pwn最難只有出到ROP) </div> :::