SECCON2016 CTF オンライン予選

あまり余裕はないけどとりあえずエントリーはしてみた。

Title	Genre	Point
Vigenere	Crypto	100
VoIP	Forensics	100
Memory Analysis	Forensics	100
biscuiti	Web, Crypto	300
chat	Exploit	500
cheer msg	Exploit	100
Anti-Debugging	Binary	100
basiq	Web	100
jmper	Exploit	300
mboard	Exploit	500
AlphaComplex1	Crypto	300
PNG over Telegraph	Crypto	300
tinypad	Exploit	300
logger	Exploit	300
pppppoxy	Web	200
ropsynth	Binary	400
microcomputer	Binary	500
Backpacker’s Capricious Cipher	Crypto	200
uncomfortable web	Web	300
randomware	Forensics	300
checker	Exploit	300
Missile	Exploit	400
Obfuscated AES	Binary, Crypto	500
Retrospective	Binary	200
Lost Decryption	Binary, Crypto	200
shopping	Exploit	400
AlphaComplex2 [LAST]	Crypto	500

Vigenere
k: ????????????
p: SECCON{???????????????????????????????????}
c: LMIG}RPEDOEEWKJIQIWKJWMNDTSR}TFVUFWYOCBAJBQ

k=key, p=plain, c=cipher, md5(p)=f528a6ab914c1ecf856a1d93103948fe

|ABCDEFGHIJKLMNOPQRSTUVWXYZ{}
-+—————————-
A|ABCDEFGHIJKLMNOPQRSTUVWXYZ{}
B|BCDEFGHIJKLMNOPQRSTUVWXYZ{}A
C|CDEFGHIJKLMNOPQRSTUVWXYZ{}AB
D|DEFGHIJKLMNOPQRSTUVWXYZ{}ABC
E|EFGHIJKLMNOPQRSTUVWXYZ{}ABCD
F|FGHIJKLMNOPQRSTUVWXYZ{}ABCDE
G|GHIJKLMNOPQRSTUVWXYZ{}ABCDEF
H|HIJKLMNOPQRSTUVWXYZ{}ABCDEFG
I|IJKLMNOPQRSTUVWXYZ{}ABCDEFGH
J|JKLMNOPQRSTUVWXYZ{}ABCDEFGHI
K|KLMNOPQRSTUVWXYZ{}ABCDEFGHIJ
L|LMNOPQRSTUVWXYZ{}ABCDEFGHIJK
M|MNOPQRSTUVWXYZ{}ABCDEFGHIJKL
N|NOPQRSTUVWXYZ{}ABCDEFGHIJKLM
O|OPQRSTUVWXYZ{}ABCDEFGHIJKLMN
P|PQRSTUVWXYZ{}ABCDEFGHIJKLMNO
Q|QRSTUVWXYZ{}ABCDEFGHIJKLMNOP
R|RSTUVWXYZ{}ABCDEFGHIJKLMNOPQ
S|STUVWXYZ{}ABCDEFGHIJKLMNOPQR
T|TUVWXYZ{}ABCDEFGHIJKLMNOPQRS
U|UVWXYZ{}ABCDEFGHIJKLMNOPQRST
V|VWXYZ{}ABCDEFGHIJKLMNOPQRSTU
W|WXYZ{}ABCDEFGHIJKLMNOPQRSTUV
X|XYZ{}ABCDEFGHIJKLMNOPQRSTUVW
Y|YZ{}ABCDEFGHIJKLMNOPQRSTUVWX
Z|Z{}ABCDEFGHIJKLMNOPQRSTUVWXY
{|{}ABCDEFGHIJKLMNOPQRSTUVWXYZ
}|}ABCDEFGHIJKLMNOPQRSTUVWXYZ{
Vigenere cipher
https://en.wikipedia.org/wiki/Vigen%C3%A8re_cipher

VoIP
Extract a voice.
The flag format is SECCON{[A-Z0-9]}.
voip.pcap

Memory Analysis
Find the website that the fake svchost is accessing.
You can get the flag if you access the website!!

memoryanalysis.zip
The challenge files are huge, please download it first.
Hint1: http://www.volatilityfoundation.org/
Hint2: Check the hosts file

password: fjliejflsjiejlsiejee33cnc

biscuiti
Can you login as admin?
http://biscuiti.pwn.seccon.jp/
biscuiti.zip

Note: You should estimate that exploits cost an hour.

chat
Host : chat.pwn.seccon.jp
Port : 26895

chat (SHA1 : 6a60392ff43764570a1ea32de00ac6124469af0c)
libc-2.19.so (SHA1 : 8674307c6c294e2f710def8c57925a50e60ee69e)

cheer msg
Host : cheermsg.pwn.seccon.jp
Port : 30527

cheer_msg (SHA1 : a89bdbaf3a918b589e14446f88d51b2c63cb219f)
libc-2.19.so (SHA1 : c4dc1270c1449536ab2efbbe7053231f1a776368)

Anti-Debugging
Reverse it.
bin
may some AV will alert,but no problem.

basiq
What is admin’s password?☺
http://basiq.pwn.seccon.jp

jmper
Host : jmper.pwn.seccon.jp
Port : 5656

jmper (SHA1 :78e21967c2de5988876df938559a850e24a000af)
libc-2.19.so (SHA1 :8674307c6c294e2f710def8c57925a50e60ee69e)

mboard
Host : mboard.pwn.seccon.jp
Port : 8273
Execute command : ./mvees_sandbox –replicas=1 –level=2 –out-limit=8192 –deny=11 ./mboard 2>&1
mboard.zip
mboard (SHA1 : cbd1701364cd7a41208cf4fd3cd5e82269f65b27)
mvees_sandbox (SHA1 : 38188bb110a74fb5641a3b51386d73c0d9ab0ed1)
libc-2.19.so (SHA1 : c4dc1270c1449536ab2efbbe7053231f1a776368)

Alpha Complex 1
Mission: Decrypt ac1.pwn.seccon.jp:31337
AlphaComplex1.zip

PNG over Telegraph
Analyze signal in this video.
You will able to get PNG, if you success to decode it.

Host : tinypad.pwn.seccon.jp
Port : 57463

Heap Fun as a Service!

tinypad (SHA1 : 0e6d01f582e5d8f00283f02d2281cc2c661eba72)
libc-2.19.so (SHA1 : 8674307c6c294e2f710def8c57925a50e60ee69e)

logger
Host : logger.pwn.seccon.jp
Port : 6565

logger (SHA1 : fee7140cb33d79c0406de49f7f8985fd459468ea)
libc-2.19.so (SHA1 : 8674307c6c294e2f710def8c57925a50e60ee69e)

pppppoxy
Log in as admin and get the flag
pppppoxy.zip.

ropsynth
ropsynth.pwn.seccon.jp:10000
Read “secret” and output the content such as the following code.

==
fd = open(“secret”, 0, 0);
len = read(fd, buf, 256);
write(1, buf, len);
==
dist.tgz

microcomputer

Remote debugging of a micro computer.
The server is running on GDB simulator with special patch.

* Connect to the server.

$ telnet micro.pwn.seccon.jp 10000
$ echo ‘+$g#67+’ | nc micro.pwn.seccon.jp 10000

A long connection is disconnected automatically.

* Read “flag.txt” on current directory.

Reference:

* Assembly samples for many architectures

cross-20130826.zip
ref: http://kozos.jp/books/asm/cross-20130826.zip

See the assembly samples.

$ unzip cross-20130826.zip
$ cd cross/sample
$ ls *.d

See the sample programs running on GDB simulator.

$ cd cross/exec
$ ls *.d

Backpacker’s Capricious Cipher
Today’s cipher is here.
capricious_cipher.zip

uncomfortable web
Attack to http://127.0.0.1:81/authed/ through the uploaded script at http://uncomfortableweb.pwn.seccon.jp/.
Get the flag in the database!

randomware
My PC suddenly got broken. Could you help me to recover it please?
NOTE: The disk can be virus-infected. DO NOT RUN any programs extracted from the disk outside of sandbox.
disk.qcow2.zip
Challenge files is huge, please download it first. Password will release after 60min.

password: h9nn4c2955kik9qti9xphuxti

checker
Host : checker.pwn.seccon.jp
Port : 14726

checker (SHA1 : 576202ccac9c1c84d3cf6c2ed0ec4d44a042f8ef)

Host : missile.pwn.seccon.jp
Port : 9999

Missile (SHA1 : 0bcb9fb57431ca8c459d346d8ede376510da433a)

Obfuscated AES
Decrypt it.
OAES.zip

Retrospective
Reverse it.
file

Lost Decryption
I created my own cipher and encrypted the very important file.
However, I lost the decryption program because of file system error, so now I cannot read the file.
Please help me.
lost_decryption.zip

shopping
Host : shopping.pwn.seccon.jp
Port : 16294

shopping (SHA1 : c2e27cb9cefe7c08b52d5849bf39017cfcd38efb)
libc-2.19.so (SHA1 : 8674307c6c294e2f710def8c57925a50e60ee69e)

Alpha Complex 2
Mission: Decrypt the cipher.
AlphaComplex2.zip

コメントを残す コメントをキャンセル

コメントを残すコメントをキャンセル