SECON 2016 Online CTF-Write Up-
SECCONとは・・・http://2016.seccon.jp/about/
情報セキュリティをテーマに多様な競技を開催する情報セキュリティコンテストイベントです。
SECCONオンライン予選「SECCON 2016 Online CTF」に参加してきました
この記事は「CTF Advent Calendar 2016」の13日目の記事です
今回はあまり解けていないのでそのあたりは・・・
今回は解いている人が多いこの3問しか解けませんでした・・・
BiPhone(@Akashi_SN,@Snow_Poijio,@yamasy1549)で出場し、
300点で420位でした・・・精進します
Write Up
競技時間中に解けた問題のWrite Upを書いていきます。
Vigenere[Crypto-100pt]
Question
k: ???????????? p: SECCON{???????????????????????????????????} c: LMIG}RPEDOEEWKJIQIWKJWMNDTSR}TFVUFWYOCBAJBQ k=key, p=plain, c=cipher, md5(p)=f528a6ab914c1ecf856a1d93103948fe |ABCDEFGHIJKLMNOPQRSTUVWXYZ{} -+---------------------------- A|ABCDEFGHIJKLMNOPQRSTUVWXYZ{} B|BCDEFGHIJKLMNOPQRSTUVWXYZ{}A C|CDEFGHIJKLMNOPQRSTUVWXYZ{}AB D|DEFGHIJKLMNOPQRSTUVWXYZ{}ABC E|EFGHIJKLMNOPQRSTUVWXYZ{}ABCD F|FGHIJKLMNOPQRSTUVWXYZ{}ABCDE G|GHIJKLMNOPQRSTUVWXYZ{}ABCDEF H|HIJKLMNOPQRSTUVWXYZ{}ABCDEFG I|IJKLMNOPQRSTUVWXYZ{}ABCDEFGH J|JKLMNOPQRSTUVWXYZ{}ABCDEFGHI K|KLMNOPQRSTUVWXYZ{}ABCDEFGHIJ L|LMNOPQRSTUVWXYZ{}ABCDEFGHIJK M|MNOPQRSTUVWXYZ{}ABCDEFGHIJKL N|NOPQRSTUVWXYZ{}ABCDEFGHIJKLM O|OPQRSTUVWXYZ{}ABCDEFGHIJKLMN P|PQRSTUVWXYZ{}ABCDEFGHIJKLMNO Q|QRSTUVWXYZ{}ABCDEFGHIJKLMNOP R|RSTUVWXYZ{}ABCDEFGHIJKLMNOPQ S|STUVWXYZ{}ABCDEFGHIJKLMNOPQR T|TUVWXYZ{}ABCDEFGHIJKLMNOPQRS U|UVWXYZ{}ABCDEFGHIJKLMNOPQRST V|VWXYZ{}ABCDEFGHIJKLMNOPQRSTU W|WXYZ{}ABCDEFGHIJKLMNOPQRSTUV X|XYZ{}ABCDEFGHIJKLMNOPQRSTUVW Y|YZ{}ABCDEFGHIJKLMNOPQRSTUVWX Z|Z{}ABCDEFGHIJKLMNOPQRSTUVWXY {|{}ABCDEFGHIJKLMNOPQRSTUVWXYZ }|}ABCDEFGHIJKLMNOPQRSTUVWXYZ{ Vigenere cipher
https://en.wikipedia.org/wiki/Vigen%C3%A8re_cipher
Answer
問題文とヒントのリンクからわかるようにこれはVigenere暗号
だな~とわかる
http://elliptic-shiho.hatenablog.com/entry/2015/11/12/041637
ここのサイトを参考にした
鍵の前7文字はわかるのであとの5文字つまりlog(28^5)=7.15
と全探索できそうなので鍵を全探索するコードを書く
#!/usr/bin/env python3 import hashlib Base = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ{}' key = "" Cipher = "LMIG}RPEDOEEWKJIQIWKJWMNDTSR}TFVUFWYOCBAJBQ" KnownPlain = "SECCON{" Plain = "" Md5_Plain = "f528a6ab914c1ecf856a1d93103948fe" for i in range(len(KnownPlain)): Index_Of_KnownPlain = Base.find(KnownPlain[i]) Index_Of_Cipher = Base.find(Cipher[i]) Index_Of_key = Index_Of_KnownPlain - Index_Of_Cipher key += Base [-Index_Of_key] print("key:{}".format(key)) Allkey = [x+y+z+a+b for x in Base for y in Base for z in Base for a in Base for b in Base] j = 0 for k in Allkey: Plain = "" for i in range(len(Cipher)): Index_Of_Cipher = Base.find(Cipher[i]) genKey = key+k Index_Of_Key = Base.find(genKey[i%12]) Index_Of_Plain = Index_Of_Cipher - Index_Of_Key Plain += Base[Index_Of_Plain] j+=1 if j%10000000 == 0: print("{} Times".format(j)) if hashlib.md5(Plain.encode('utf8')).hexdigest() == Md5_Plain: print("Find!!!! ...{} Times".format(j)) print(Plain) break
$ python q1.py key:VIGENER 10000000 Times 20000000 Times 30000000 Times 40000000 Times 50000000 Times 60000000 Times 70000000 Times 80000000 Times 90000000 Times 100000000 Times Find!!!! ...108084499 Times SECCON{ABABABCDEDEFGHIJJKLMNOPQRSTTUVWXYYZ}
1分ぐらいでフラグが出てくる
VoIP[Forensics-100pt]
Question
VoIP Extract a voice. The flag format is SECCON{[A-Z0-9]}.
Answer
Ip電話のパケットのようなので、Wiresharkの電話(y)→VoIP通話(V)→ストリーム再生
で音声を聞ける。
V
の発音がわからず苦労した
FLAG:SECCON{9001IVR}
Memory Analysis[Forensics-100pt]
Question
Find the website that the fake svchost is accessing. You can get the flag if you access the website!! The challenge files are huge, please download it first. Hint1: http://www.volatilityfoundation.org/ Hint2: Check the hosts file password: fjliejflsjiejlsiejee33cnc
Answer
http://www.volatilityfoundation.org/のメモリダンプの解析ソフトを使ってやる
https://github.com/volatilityfoundation/volatility/wiki/Volatility-Usage ドキュメント
volatility-2.5.standalone.exe -f forensic_100.raw imageinfo Volatility Foundation Volatility Framework 2.5 INFO : volatility.debug : Determining profile based on KDBG search... Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86) AS Layer1 : IA32PagedMemoryPae (Kernel AS) AS Layer2 : FileAddressSpace (D:\SECCON-2016-Online-CTF\Forensics\100\Memory Analysis\memoryanalysis\forensic_100.raw) PAE type : PAE DTB : 0x34c000L KDBG : 0x80545ce0L Number of Processors : 1 Image Type (Service Pack) : 3 KPCR for CPU 0 : 0xffdff000L KUSER_SHARED_DATA : 0xffdf0000L Image date and time : 2016-12-06 05:28:47 UTC+0000 Image local date and time : 2016-12-06 14:28:47 +0900
どうやらWinXPのメモリダンプらしい
プロセス一覧
volatility-2.5.standalone.exe -f forensic_100.raw psscan Volatility Foundation Volatility Framework 2.5 Offset(P) Name PID PPID PDB Time created Time exited ------------------ ---------------- ------ ------ ---------- ------------------------------ ------------------------------ 0x0000000001805d40 disable_outdate 1376 1928 0x09480360 2016-10-26 09:44:04 UTC+0000 2016-10-26 09:44:04 UTC+0000 0x00000000018dc630 tcpview.exe 2844 1464 0x09480320 2016-12-06 05:13:57 UTC+0000 2016-12-06 05:26:18 UTC+0000 0x0000000001bb4380 tcpview.exe 3308 1556 0x091c0360 2016-12-06 05:28:42 UTC+0000 0x0000000001c18020 smss.exe 540 4 0x091c0020 2016-12-06 05:27:04 UTC+0000 0x0000000001c309e8 vmtoolsd.exe 1820 676 0x04c00260 2016-10-25 10:17:40 UTC+0000 2016-10-26 09:05:05 UTC+0000 0x0000000002018da0 svchost.exe 848 672 0x091c00e0 2016-12-06 05:27:08 UTC+0000 0x0000000002041928 svchost.exe 1320 672 0x091c0180 2016-12-06 05:27:10 UTC+0000 0x000000000204b4b0 vmtoolsd.exe 312 672 0x091c02a0 2016-12-06 05:27:13 UTC+0000 0x000000000204f560 svchost.exe 1704 672 0x091c0200 2016-12-06 05:27:10 UTC+0000 0x0000000002056228 wscntfy.exe 720 1036 0x091c03a0 2016-12-06 05:27:18 UTC+0000 0x00000000020886f0 GoogleUpdate.ex 372 1984 0x091c02c0 2016-12-06 05:27:13 UTC+0000 0x0000000002089200 wmiprvse.exe 596 848 0x091c0340 2016-12-06 05:27:13 UTC+0000 0x00000000020f6da0 csrss.exe 604 540 0x091c0040 2016-12-06 05:27:07 UTC+0000 0x0000000002100558 VGAuthService.e 196 672 0x091c0280 2016-12-06 05:27:13 UTC+0000 0x000000000210dbe0 spoolsv.exe 1644 672 0x091c01e0 2016-12-06 05:27:10 UTC+0000 0x000000000212cb20 wuauclt.exe 3164 1036 0x091c01a0 2016-12-06 05:28:15 UTC+0000 0x0000000002146238 alg.exe 2028 672 0x091c0380 2016-12-06 05:27:16 UTC+0000 0x0000000002165da0 svchost.exe 1776 672 0x091c0220 2016-12-06 05:27:10 UTC+0000 0x000000000218c9a0 lsass.exe 684 628 0x091c00a0 2016-12-06 05:27:07 UTC+0000 0x0000000002192778 svchost.exe 1088 672 0x091c0140 2016-12-06 05:27:08 UTC+0000 0x0000000002262b20 wuauclt.exe 488 1036 0x091c02e0 2016-12-06 05:27:13 UTC+0000 0x0000000002351ca8 svchost.exe 936 672 0x091c0100 2016-12-06 05:27:08 UTC+0000 0x0000000002354880 vmacthlp.exe 836 672 0x091c00c0 2016-12-06 05:27:08 UTC+0000 0x000000000236a5e8 DumpIt.exe 3740 1556 0x091c0320 2016-12-06 05:28:46 UTC+0000 0x000000000236e670 services.exe 672 628 0x091c0080 2016-12-06 05:27:07 UTC+0000 0x0000000002370da0 ctfmon.exe 1872 1556 0x091c0160 2016-12-06 05:27:11 UTC+0000 0x0000000002373da0 winlogon.exe 628 540 0x091c0060 2016-12-06 05:27:07 UTC+0000 0x00000000023f8438 vmtoolsd.exe 1856 1556 0x091c0240 2016-12-06 05:27:11 UTC+0000 0x000000000245bda0 IEXPLORE.EXE 380 1776 0x091c03c0 2016-12-06 05:27:19 UTC+0000 0x0000000002467900 rundll32.exe 1712 1556 0x091c0260 2016-12-06 05:27:16 UTC+0000 0x000000000249f7e8 IEXPLORE.EXE 1080 380 0x091c0300 2016-12-06 05:27:21 UTC+0000 0x0000000002512450 svchost.exe 1036 672 0x091c0120 2016-12-06 05:27:08 UTC+0000 0x000000000251f698 explorer.exe 1556 1520 0x091c01c0 2016-12-06 05:27:10 UTC+0000 0x00000000025c8660 System 4 0 0x0034c000
ニセのsvchost
がアクセスしてるサイトを見つける
次にすべてのsvchost
をダンプする
volatility-2.5.standalone.exe -f forensic_100.raw procdump -D dump/ -p 936 Volatility Foundation Volatility Framework 2.5 Process(V) ImageBase Name Result ---------- ---------- -------------------- ------ 0x82151ca8 0x01000000 svchost.exe OK: executable.936.exe >volatility-2.5.standalone.exe -f forensic_100.raw procdump -D dump/ -p 1704 Volatility Foundation Volatility Framework 2.5 Process(V) ImageBase Name Result ---------- ---------- -------------------- ------ 0x81e4f560 0x01000000 svchost.exe OK: executable.1704.exe >volatility-2.5.standalone.exe -f forensic_100.raw procdump -D dump/ -p 848 Volatility Foundation Volatility Framework 2.5 Process(V) ImageBase Name Result ---------- ---------- -------------------- ------ 0x81e18da0 0x01000000 svchost.exe OK: executable.848.exe >volatility-2.5.standalone.exe -f forensic_100.raw procdump -D dump/ -p 1776 Volatility Foundation Volatility Framework 2.5 Process(V) ImageBase Name Result ---------- ---------- -------------------- ------ 0x81f65da0 0x00400000 svchost.exe OK: executable.1776.exe >volatility-2.5.standalone.exe -f forensic_100.raw procdump -D dump/ -p 1320 Volatility Foundation Volatility Framework 2.5 Process(V) ImageBase Name Result ---------- ---------- -------------------- ------ 0x81e41928 0x01000000 svchost.exe OK: executable.1320.exe >volatility-2.5.standalone.exe -f forensic_100.raw procdump -D dump/ -p 1088 Volatility Foundation Volatility Framework 2.5 Process(V) ImageBase Name Result ---------- ---------- -------------------- ------ 0x81f92778 0x01000000 svchost.exe OK: executable.1088.exe >volatility-2.5.standalone.exe -f forensic_100.raw procdump -D dump/ -p 1036 Volatility Foundation Volatility Framework 2.5 Process(V) ImageBase Name Result ---------- ---------- -------------------- ------ 0x82312450 0x01000000 svchost.exe OK: executable.1036.exe
dump$ file * executable.1036.exe: PE32 executable (GUI) Intel 80386, for MS Windows executable.1088.exe: PE32 executable (GUI) Intel 80386, for MS Windows executable.1320.exe: PE32 executable (GUI) Intel 80386, for MS Windows executable.1704.exe: PE32 executable (GUI) Intel 80386, for MS Windows executable.1776.exe: PE32 executable (console) Intel 80386, for MS Windows executable.848.exe: PE32 executable (GUI) Intel 80386, for MS Windows executable.936.exe: PE32 executable (GUI) Intel 80386, for MS Windows
executable.1776.exe
だけ違うので、
$ strings executable.1776.exe | grep http C:\Program Files\Internet Explorer\iexplore.exe http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
何かアクセスしようとしてる・・・
Hint2: Check the hosts file
らしいので、
volatility-2.5.standalone.exe -f forensic_100.raw filescan | grep hosts Volatility Foundation Volatility Framework 2.5 0x000000000217b748 1 0 R--rw- \Device\HarddiskVolume1\WINDOWS\system32\drivers\etc\hosts
あった!ダンプしてみよう!
volatility-2.5.standalone.exe -f forensic_100.raw dumpfiles -D output/ -Q 0x000000000217b748 Volatility Foundation Volatility Framework 2.5 DataSectionObject 0x0217b748 None \Device\HarddiskVolume1\WINDOWS\system32\drivers\etc\hosts
cat file.None.0x819a3008.dat # Copyright (c) 1993-1999 Microsoft Corp. # # This is a sample HOSTS file used by Microsoft TCP/IP for Windows. # # This file contains the mappings of IP addresses to host names. Each # entry should be kept on an individual line. The IP address should # be placed in the first column followed by the corresponding host name. # The IP address and the host name should be separated by at least one # space. # # Additionally, comments (such as these) may be inserted on individual # lines or following the machine name denoted by a '#' symbol. # # For example: # # 102.54.94.97 rhino.acme.com # source server # 38.25.63.10 x.acme.com # x client host 127.0.0.1 localhost 153.127.200.178 crattack.tistory.com
どうやらcrattack.tistory.com
にアクセスしようとすると153.127.200.178
にアクセスしてしまうよう
つまりhttp://153.127.200.178/entry/Data-Science-import-pandas-as-pd
にアクセスすれば良さそう
するとファイルがダウンロードされるので表示するとフラグが手に入る
FLAG:SECCON{_h3110_w3_h4ve_fun_w4rg4m3_}
感想
ほんとにまだまだということがわかったので精進します・・・