INTIGRITI CTF - HackMD

# INTIGRITI CTF ## Reverse 1. Flag_checker [https://actvneduvn-my.sharepoint.com/:u:/g/personal/at19n0106_actvn_edu_vn/EesIqoNn0AdOqTLucjKfj2cBStJeV9MEd00ubUJp-JyzkQ?e=9SeGbN](https://) - Là challenge đơn giản chỉ cần sử dụng z3-python để tìm flag đúng ``` from z3 import * s = Solver() flag = [] for i in range(22): flag.append(BitVec(f"f_{i}", 8)) s.add(flag[18]* flag[7]& flag[12]^ flag[2]== 36) s.add(flag[1]% flag[14]- flag[21]% flag[15]== -3) s.add(flag[10]+ flag[4]* flag[11]- flag[20]== 5141) s.add(flag[19]+ flag[12]* flag[0]^ flag[16]== 8332) s.add(flag[9]^ flag[13]* flag[8]& flag[16]== 113) s.add(flag[3]* flag[17]+ flag[5]+ flag[6]== 7090) s.add(flag[21]* flag[2]^ flag[3]^ flag[19]== 10521) s.add(flag[11]^ flag[20]* flag[1]+ flag[6]== 6787) s.add(flag[7]+ flag[5]- flag[18]& flag[9]== 96) s.add(flag[12]* flag[8]- flag[10]+ flag[4]== 8277) s.add(flag[16]^ flag[17]* flag[13]+ flag[14]== 4986) s.add(flag[0]* flag[15]+ flag[3]== 7008) s.add(flag[13]+ flag[18]* flag[2]& flag[5]^ flag[10]== 118) s.add(flag[0]% flag[12]- flag[19]% flag[7]== 73) s.add(flag[14]+ flag[21]* flag[16]- flag[8]== 11228) s.add(flag[3]+ flag[17]* flag[9]^ flag[11]== 11686) s.add(flag[15]^ flag[4]* flag[20]& flag[1]== 95) s.add(flag[6]* flag[12]+ flag[19]+ flag[2]== 8490) s.add(flag[7]* flag[5]^ flag[10]^ flag[0]== 6869) s.add(flag[21]^ flag[13]* flag[15]+ flag[11]== 4936) s.add(flag[16]+ flag[20]- flag[3]& flag[9]== 104) s.add(flag[18]* flag[1]- flag[4]+ flag[14]== 5440) s.add(flag[8]^ flag[6]* flag[17]+ flag[12]== 7104) s.add(flag[11]* flag[2]+ flag[15]== 6143) for i in range(22): s.add(flag[i] >= 33) s.add(flag[i] <= 127) print(s.check()) flag_arr = s.model() print(flag_arr) for i in range(0,22): print(chr(flag_arr.eval(eval(f'flag[{i}]')).as_long()),end='') ``` 2. Anonymous [https://actvneduvn-my.sharepoint.com/:u:/g/personal/at19n0106_actvn_edu_vn/EfwGijjmb5xDrGsWdxsAAcgBoltAoptRzFabp61tOo7iEw?e=L3AaKU](https://) - check file ![image](https://hackmd.io/_uploads/By0Xt4PNT.png) - Library .NET vì vậy ta sử dụng công cụ **Dnspy** để decompile ![image](https://hackmd.io/_uploads/r1GRYEvN6.png) - Sau 1 lúc tìm kiếm chuỗi phù hợp và decode base64 ta thu được ![image](https://hackmd.io/_uploads/rkdN9NvE6.png) 3. Obfuscation [https://actvneduvn-my.sharepoint.com/:u:/g/personal/at19n0106_actvn_edu_vn/EapwWihrDORIqw2XE64SEDQBUzCPHqz1NwLuK9S1A8Gwqw?e=BmptcZ](https://) - Unobfuscation [https://actvneduvn-my.sharepoint.com/:u:/g/personal/at19n0106_actvn_edu_vn/ERnRAEbCCHxCpAhZADi8ejgBM4miSQ0ATlLWLQaFPcQGgg?e=gPTimV](https://) - Code khá đơn giản dễ hiểu - Solve ``` from ctypes import * key = [42, 77, 3, 8, 69, 86, 60, 99, 50, 76, 15, 14, 41, 87, 45, 61, 16, 50, 20, 5, 13, 33, 62, 70, 70, 77, 28, 85, 82, 26, 28, 32, 56, 22, 21, 48, 38, 42, 98, 20, 44, 66, 21, 55, 98, 17, 20, 93, 99, 54, 21, 43, 80, 99, 64, 98, 55, 3, 95, 16, 56, 62, 42, 83, 72, 23, 71, 61, 90, 14, 33, 45, 84, 25, 24, 96, 74, 2, 1, 92, 25, 33, 36, 6, 26, 14, 37, 33, 100, 3, 30, 1, 31, 31, 86, 92, 61, 86, 81, 38] data = open("output", "rb").read() for i in range(len(data)): print(chr(data[i]^c_int8(key[i%len(key)]^4919).value),end="") ``` 4. Impackful [https://actvneduvn-my.sharepoint.com/:f:/g/personal/at19n0106_actvn_edu_vn/EuN8ajinixhEm7vnAgviYScBvk2iXjhIOiwC6nICSt5c9Q?e=S8vyWq](https://) - check file ta thấy file được packed bởi upx unpack: upx -d <ten_file_pack> -o <ten_file_unpack> - File đã bị pack ![image](https://hackmd.io/_uploads/BJanJBDEa.png) - File sau unpack ![image](https://hackmd.io/_uploads/Sk-s1BvEa.png) > "N3v3R" > flag: INTIGRITI{N3v3R} 5. CrackMeIfweCan [https://actvneduvn-my.sharepoint.com/:f:/g/personal/at19n0106_actvn_edu_vn/EmRKfkdYU_5Llb7aW8jWlHwBQQY6nLGYOKBIjceiENYubg?e=NXpiQU](https://) -check: .NET ![image](https://hackmd.io/_uploads/rkJHH8PEp.png) - không thể xem được mã code, sau thời gian tìm kiếm tham khảo tôi biết đến tool sau: [https://github.com/wwh1004/ExtremeDumper](https://) ![image](https://hackmd.io/_uploads/H15g8LP4p.png) - Tiếp theo sử dụng ILspy để decompile ![image](https://hackmd.io/_uploads/HyX288PNT.png) ![image](https://hackmd.io/_uploads/BkYCLID46.png) - Dựa vào những thông tin trên thì tôi hiểu được challenge này như sau: pass^enc[x]=="WhatAreYouDoingToChallenge" - như vậy việc cần làm bây giờ là tìm chuỗi ```enc``` và viết script tìm password ![image](https://hackmd.io/_uploads/HJlvu8D4p.png) - solve ``` x = [0x3E, 0x06, 0x15, 0x1D, 0x26, 0x00, 0x0C, 0x2D, 0x06, 0x0E, 0x1D, 0x00, 0x1C, 0x31, 0x26, 0x26, 0x0A, 0x1C, 0x29, 0x0C, 0x0D, 0x16, 0x0C, 0x00, 0x00, 0x18] textToScramble = "" for i in range(len(x)): textToScramble += chr(x[i]) password = "WhatAreYouDoingToChallenge" num = 0 num2 = len(textToScramble) - 1 stringBuilder = "" for i in range(num, num2 + 1): num3 = i % len(password) c = ord(textToScramble[i]) c = c ^ ord(password[num3]) stringBuilder += chr(c) print(stringBuilder) ``` > intigriti{You_Are_Amazing}