SECCON2016 CTF オンライン予選

あまり余裕はないけどとりあえずエントリーはしてみた。

Title Genre Point
Vigenere Crypto 100
VoIP Forensics 100
Memory Analysis Forensics 100
biscuiti Web, Crypto 300
chat Exploit 500
cheer msg Exploit 100
Anti-Debugging Binary 100
basiq Web 100
jmper Exploit 300
mboard Exploit 500
AlphaComplex1 Crypto 300
PNG over Telegraph Crypto 300
tinypad Exploit 300
logger Exploit 300
pppppoxy Web 200
ropsynth Binary 400
microcomputer Binary 500
Backpacker’s Capricious Cipher Crypto 200
uncomfortable web Web 300
randomware Forensics 300
checker Exploit 300
Missile Exploit 400
Obfuscated AES Binary, Crypto 500
Retrospective Binary 200
Lost Decryption Binary, Crypto 200
shopping Exploit 400
AlphaComplex2 [LAST] Crypto 500

Vigenere
k: ????????????
p: SECCON{???????????????????????????????????}
c: LMIG}RPEDOEEWKJIQIWKJWMNDTSR}TFVUFWYOCBAJBQ

k=key, p=plain, c=cipher, md5(p)=f528a6ab914c1ecf856a1d93103948fe

|ABCDEFGHIJKLMNOPQRSTUVWXYZ{}
-+—————————-
A|ABCDEFGHIJKLMNOPQRSTUVWXYZ{}
B|BCDEFGHIJKLMNOPQRSTUVWXYZ{}A
C|CDEFGHIJKLMNOPQRSTUVWXYZ{}AB
D|DEFGHIJKLMNOPQRSTUVWXYZ{}ABC
E|EFGHIJKLMNOPQRSTUVWXYZ{}ABCD
F|FGHIJKLMNOPQRSTUVWXYZ{}ABCDE
G|GHIJKLMNOPQRSTUVWXYZ{}ABCDEF
H|HIJKLMNOPQRSTUVWXYZ{}ABCDEFG
I|IJKLMNOPQRSTUVWXYZ{}ABCDEFGH
J|JKLMNOPQRSTUVWXYZ{}ABCDEFGHI
K|KLMNOPQRSTUVWXYZ{}ABCDEFGHIJ
L|LMNOPQRSTUVWXYZ{}ABCDEFGHIJK
M|MNOPQRSTUVWXYZ{}ABCDEFGHIJKL
N|NOPQRSTUVWXYZ{}ABCDEFGHIJKLM
O|OPQRSTUVWXYZ{}ABCDEFGHIJKLMN
P|PQRSTUVWXYZ{}ABCDEFGHIJKLMNO
Q|QRSTUVWXYZ{}ABCDEFGHIJKLMNOP
R|RSTUVWXYZ{}ABCDEFGHIJKLMNOPQ
S|STUVWXYZ{}ABCDEFGHIJKLMNOPQR
T|TUVWXYZ{}ABCDEFGHIJKLMNOPQRS
U|UVWXYZ{}ABCDEFGHIJKLMNOPQRST
V|VWXYZ{}ABCDEFGHIJKLMNOPQRSTU
W|WXYZ{}ABCDEFGHIJKLMNOPQRSTUV
X|XYZ{}ABCDEFGHIJKLMNOPQRSTUVW
Y|YZ{}ABCDEFGHIJKLMNOPQRSTUVWX
Z|Z{}ABCDEFGHIJKLMNOPQRSTUVWXY
{|{}ABCDEFGHIJKLMNOPQRSTUVWXYZ
}|}ABCDEFGHIJKLMNOPQRSTUVWXYZ{
Vigenere cipher
https://en.wikipedia.org/wiki/Vigen%C3%A8re_cipher


VoIP
Extract a voice.
The flag format is SECCON{[A-Z0-9]}.
voip.pcap


 

Memory Analysis
Find the website that the fake svchost is accessing.
You can get the flag if you access the website!!

memoryanalysis.zip
The challenge files are huge, please download it first.
Hint1: http://www.volatilityfoundation.org/
Hint2: Check the hosts file

password: fjliejflsjiejlsiejee33cnc


biscuiti
Can you login as admin?
http://biscuiti.pwn.seccon.jp/
biscuiti.zip

Note: You should estimate that exploits cost an hour.


chat
Host : chat.pwn.seccon.jp
Port : 26895

chat (SHA1 : 6a60392ff43764570a1ea32de00ac6124469af0c)
libc-2.19.so (SHA1 : 8674307c6c294e2f710def8c57925a50e60ee69e)


cheer msg
Host : cheermsg.pwn.seccon.jp
Port : 30527

cheer_msg (SHA1 : a89bdbaf3a918b589e14446f88d51b2c63cb219f)
libc-2.19.so (SHA1 : c4dc1270c1449536ab2efbbe7053231f1a776368)


Anti-Debugging
Reverse it.
bin
may some AV will alert,but no problem.


Anti-Debugging
Reverse it.
bin
may some AV will alert,but no problem.


basiq
What is admin’s password?☺
http://basiq.pwn.seccon.jp


jmper
Host : jmper.pwn.seccon.jp
Port : 5656

jmper (SHA1 :78e21967c2de5988876df938559a850e24a000af)
libc-2.19.so (SHA1 :8674307c6c294e2f710def8c57925a50e60ee69e)


mboard
Host : mboard.pwn.seccon.jp
Port : 8273
Execute command : ./mvees_sandbox –replicas=1 –level=2 –out-limit=8192 –deny=11 ./mboard 2>&1
mboard.zip
mboard (SHA1 : cbd1701364cd7a41208cf4fd3cd5e82269f65b27)
mvees_sandbox (SHA1 : 38188bb110a74fb5641a3b51386d73c0d9ab0ed1)
libc-2.19.so (SHA1 : c4dc1270c1449536ab2efbbe7053231f1a776368)


Alpha Complex 1
Mission: Decrypt ac1.pwn.seccon.jp:31337
AlphaComplex1.zip


PNG over Telegraph
Analyze signal in this video.
You will able to get PNG, if you success to decode it.


Host : tinypad.pwn.seccon.jp
Port : 57463

Heap Fun as a Service!

tinypad (SHA1 : 0e6d01f582e5d8f00283f02d2281cc2c661eba72)
libc-2.19.so (SHA1 : 8674307c6c294e2f710def8c57925a50e60ee69e)


logger
Host : logger.pwn.seccon.jp
Port : 6565

logger (SHA1 : fee7140cb33d79c0406de49f7f8985fd459468ea)
libc-2.19.so (SHA1 : 8674307c6c294e2f710def8c57925a50e60ee69e)


pppppoxy
Log in as admin and get the flag
pppppoxy.zip.


ropsynth
ropsynth.pwn.seccon.jp:10000
Read “secret” and output the content such as the following code.

==
fd = open(“secret”, 0, 0);
len = read(fd, buf, 256);
write(1, buf, len);
==
dist.tgz


microcomputer

Remote debugging of a micro computer.
The server is running on GDB simulator with special patch.

* Connect to the server.

$ telnet micro.pwn.seccon.jp 10000
$ echo ‘+$g#67+’ | nc micro.pwn.seccon.jp 10000

A long connection is disconnected automatically.

* Read “flag.txt” on current directory.

Reference:

* Assembly samples for many architectures

cross-20130826.zip
ref: http://kozos.jp/books/asm/cross-20130826.zip

See the assembly samples.

$ unzip cross-20130826.zip
$ cd cross/sample
$ ls *.d

See the sample programs running on GDB simulator.

$ cd cross/exec
$ ls *.d


Backpacker’s Capricious Cipher
Today’s cipher is here.
capricious_cipher.zip


uncomfortable web
Attack to http://127.0.0.1:81/authed/ through the uploaded script at http://uncomfortableweb.pwn.seccon.jp/.
Get the flag in the database!


randomware
My PC suddenly got broken. Could you help me to recover it please?
NOTE: The disk can be virus-infected. DO NOT RUN any programs extracted from the disk outside of sandbox.
disk.qcow2.zip
Challenge files is huge, please download it first. Password will release after 60min.

password: h9nn4c2955kik9qti9xphuxti


checker
Host : checker.pwn.seccon.jp
Port : 14726

checker (SHA1 : 576202ccac9c1c84d3cf6c2ed0ec4d44a042f8ef)


Host : missile.pwn.seccon.jp
Port : 9999

Missile (SHA1 : 0bcb9fb57431ca8c459d346d8ede376510da433a)


Obfuscated AES
Decrypt it.
OAES.zip


Retrospective
Reverse it.
file


Lost Decryption
I created my own cipher and encrypted the very important file.
However, I lost the decryption program because of file system error, so now I cannot read the file.
Please help me.
lost_decryption.zip


shopping
Host : shopping.pwn.seccon.jp
Port : 16294

shopping (SHA1 : c2e27cb9cefe7c08b52d5849bf39017cfcd38efb)
libc-2.19.so (SHA1 : 8674307c6c294e2f710def8c57925a50e60ee69e)


Alpha Complex 2
Mission: Decrypt the cipher.
AlphaComplex2.zip


コメントを残す

メールアドレスが公開されることはありません。 * が付いている欄は必須項目です