728x90
반응형
728x90
반응형
728x90
반응형

babycrypto1

 

 

영어로 쓸려 했는데 뭔가 쉽게 안써진다..

 

test command cipher text가 주어지고,

동일한 aes key를 사용하는, vi를 입력해서 cipher text를 만들 수 있는 거가 있다.

 

50행에서 토큰은 그대로 사용되기 때문에 앞쪽 블록은 그대로 사용하고 command만 들어가있는 마지막 블록만 생각하면 된다.

마지막 블록을 변화시키면 cipher text의 마지막 블록에만 변화가 생기는데, 이를 이용하여 "show" 가 들어간 암호화된 블록을 만들어 바꿔치면 된다.

 

마지막 블록을 만들 때  plain text와 xor 하는 것을 vi로 보면, vi는 cipher text N-1번째 블록값이 된다.

plain text 를 "show"로, vi를 cipher text 마지막 블록을 넣어 cipher text 한 블록을 만들어서

처음 주어진 test command cipher text의 마지막 블록과 바꾸어서 넣어주면

복호화 과정에서 앞 블록은 그대로이기 때문에 token은 그대로 복호화가 되고 마지막 블록은 show로 복호화가 이루어 진다.


babycrypto2

 

 

1과 다른 점은 COMMAND가 맨 처음 블록으로 이동하였고, encryption 과정이 없다는 것이다.

어차피 cipher text의 앞 블록이 바뀌면 그 다음 블록에도 영향을 주기 때문에 블록 바꿔치기는 안된다.

 

 

다만 decryption 과정을 보면, 맨 앞블록은 block cipher decryption 이후에 IV와 xor을 수행한다.

그리고 복호화에 사용할 IV값은 우리가 넣어줄 수 있다. 이 IV 값을 바꿔주어 맨 앞 plaintext가 우리가 원하는 값이 되도록 하면 된다. ciphertext는 그대로 사용할 것이기 때문에, block cipher decryption의 결과값은 고정이다.

원래의 복호화 과정을 생각한다면, IV에는 처음 제공되는 IV값이 들어가며, block cipher decryption의 결과값은 IV xor plaintext(test)이며, 우리가 원하는 plaintext로 만들어주는 IV값은 IV xor plaintext(test) xor plaintext(show) 가 된다.

다만 plaintext(show)를 만들 때 앞의 PREFIX값과 뒤에 token 3byte를 생각해야 한다.

 

그렇게 해서 IV값을 만들어서 IV + data 복호화 돌려주면 된다.

728x90
반응형

'CTF Write Up' 카테고리의 다른 글

Securebug.se CTF Loki 2021 write up  (0) 2021.07.19
Securinets CTF Quals 2021 write up  (0) 2021.03.22
Codefest CTF 2021 Write up  (0) 2021.03.20
UTCTF 2021 write up  (0) 2021.03.15
vishwaCTF 2021 Write up  (0) 2021.03.15
728x90
반응형

Forensics

스테가노

Anime is love

There is a zip file at end of jpg file (jpg file footer signature).

Fix the header signature.

it is encrypted. So, find password using ARCHRP with rockyou.txt which is dictionary file for dictionary attack.

 

flag.txt

it is pdf file

and it's locked.

good.


Telephone

github.com/ribt/dtmf-decoder

 

ribt/dtmf-decoder

Extract phone numbers from an audio recording of the dial tones. - ribt/dtmf-decoder

github.com

convert m4a to wav to use dtmf-decoder

 

hmm...


b1n4rY

bin to hex

make a file "a.data"

open with GIMP

scan it!

 


Web

Sanity Check 2

at ./

base64 -> ascii -> caesar cipher


C is hard

bof

ez

728x90
반응형

'CTF Write Up' 카테고리의 다른 글

Securinets CTF Quals 2021 write up  (0) 2021.03.22
LINE CTF 2021 write up  (0) 2021.03.21
UTCTF 2021 write up  (0) 2021.03.15
vishwaCTF 2021 Write up  (0) 2021.03.15
NahamCon CTF 2021 write up  (0) 2021.03.15
728x90
반응형

Forensics

SHIFT

anyconv.com/ko/png-to-raw-byeonhwangi/

 

PNG RAW 변환: 온라인에서 PNG를 RAW로 변환하십시오

⭐ AnyConv는 5 성급 PNG RAW 변환기입니다 ⭐ 온라인에서 png를 raw로 몇 초 안에 변환하십시오 ✅ 소프트웨어 설치가 필요하지 않습니다 ✅ 무료로 ✅ 완전히 안전합니다. PNG를 RAW로 쉽게 변경할 수

anyconv.com

png to bmp

 

rename .bmp to .data

 

open with GIMP

 

width 5261

 


Doubly Deleted Data


Sandwiched

You can see that there are several pdf files, and you can see that there is a jpg file in between.

 

However, jpg's footer signature can be found far away.

There are parts of the jpg file between the pdf files.

 

The extracted jpg file had a flag.

 


OSINT Part 1

 

search name in twitter

728x90

OSINT Part 2

 

google image search

 


Small P Problems

Diffie–Hellman

github.com/DrMMZ/Attack-Diffie-Hellman/blob/master/AttackDH.py

 

DrMMZ/Attack-Diffie-Hellman

Implementation of cryptanalysis of Diffie-Hellman public key protocol in Python - DrMMZ/Attack-Diffie-Hellman

github.com


Beginner

Various Vernacular

quipqiup.com/

 

quipqiup - cryptoquip and cryptogram solver

 

quipqiup.com

728x90
반응형

'CTF Write Up' 카테고리의 다른 글

LINE CTF 2021 write up  (0) 2021.03.21
Codefest CTF 2021 Write up  (0) 2021.03.20
vishwaCTF 2021 Write up  (0) 2021.03.15
NahamCon CTF 2021 write up  (0) 2021.03.15
dvCTF 2021 Write up  (2) 2021.03.15
728x90
반응형
728x90
반응형

'CTF Write Up' 카테고리의 다른 글

Codefest CTF 2021 Write up  (0) 2021.03.20
UTCTF 2021 write up  (0) 2021.03.15
NahamCon CTF 2021 write up  (0) 2021.03.15
dvCTF 2021 Write up  (2) 2021.03.15
BCA CTF 2021 Write up  (0) 2021.03.14
728x90
반응형
728x90
반응형

'CTF Write Up' 카테고리의 다른 글

UTCTF 2021 write up  (0) 2021.03.15
vishwaCTF 2021 Write up  (0) 2021.03.15
dvCTF 2021 Write up  (2) 2021.03.15
BCA CTF 2021 Write up  (0) 2021.03.14
BSidesSF CTF 2021 write up  (0) 2021.03.09
728x90
반응형
728x90
반응형

'CTF Write Up' 카테고리의 다른 글

vishwaCTF 2021 Write up  (0) 2021.03.15
NahamCon CTF 2021 write up  (0) 2021.03.15
BCA CTF 2021 Write up  (0) 2021.03.14
BSidesSF CTF 2021 write up  (0) 2021.03.09
TRUST CTF 2021 write up  (0) 2021.02.28
728x90
반응형

Forensic

Clang


oBfsC4t10n

open it!

 

download it!

rename .xlsm to .xls

open and recover it!

go to this location

this is vbscript

hmm

728x90

web

BonechewerCon

just input {{config}}


crypto

Broken RSA

 

e is very big

https://github.com/pablocelayes/rsa-wiener-attack.git

 

pablocelayes/rsa-wiener-attack

A Python implementation of the Wiener attack on RSA public-key encryption scheme. - pablocelayes/rsa-wiener-attack

github.com

RSAwienerHacker.py

 

728x90
반응형

'CTF Write Up' 카테고리의 다른 글

NahamCon CTF 2021 write up  (0) 2021.03.15
dvCTF 2021 Write up  (2) 2021.03.15
BSidesSF CTF 2021 write up  (0) 2021.03.09
TRUST CTF 2021 write up  (0) 2021.02.28
Tenable CTF 2021 write up  (0) 2021.02.23
728x90
반응형

layers.txt

bin2ascii

oct2ascii

hex2ascii

base64decode

base85decode


Chimera

Open chimera.bin.img using FTK Imager.

 

I found key.docx.

extract it and rename key.docx to key.zip

 

hmm __main__.py ?

zip password key...

but i couldn't find any zip file.

 

so, i opened chimera.bin.img with HxD.exe. Then i searched "flag".

 

flag.png in flag.zip

good

it is in pdf file stream, but i couldn't find any pdf file. so i just carved it.

it says the file is corrupted, but i can get 61% unziped flag.png

 

 

it is half of flag, but we can read flag :)

728x90

Glitch in the matrix

 

DQT : en.wikibooks.org/wiki/JPEG_-_Idea_and_Practice/The_header_part#The_Quantization_table_segment_DQT

 

JPEG - Idea and Practice/The header part

The markers[edit] The header part of a JPEG file is divided into segments, and each segment starts with a marker, identifying the segment. Usually a JPEG file contains 7 different markers. A marker is a pair of bytes, the first is 255 and the second is dif

en.wikibooks.org

 

The DQT area is intentionally covered with 0xFF.

To recover DQT area, I copied and pasted the DQT area of other normal jpg files downloaded from the google.

After many attempts, I could read a flag.

 

we_need_bits_lots_of_bits


Net Matroyshka

 

8.pcap

 

7.pcap

 

 

6.pcap

 

copy&paste rsync data and sum data

 

5.pcap

 

follow > udp stream

 

make 4.zip

no footer signature in 5.pcap.

i think i extracted 5.zip wrong because 5.zip said zip file is corrupted.

 

i couldn't extract 5.zip correctly..

 


Tapesplice

BZh91AY&SY is bz2 header signature

 


denouement.png

use zsteg


Résumé

just copy and paste


Charge Tracker

 

dex2jar sourceforge.net/projects/dex2jar/

 

dex2jar

Download dex2jar for free. Tools to work with android .dex and java .class files. Mirrors: * https://bitbucket.org/pxb1988/dex2jar * https://github.com/pxb1988/dex2jar dex2jar contains following compment * dex-reader is designed to read the Dalvik Executab

sourceforge.net

 

open .jar using jd-gui java-decompiler.github.io/

 

Java Decompiler

The “Java Decompiler project” aims to develop tools in order to decompile and analyze Java 5 “byte code” and the later versions. JD-GUI is a standalone graphical utility that displays Java source codes of “.class” files. You can browse the reco

java-decompiler.github.io

 

part1 is here.

done.


Hashcrack 101

www.tunnelsup.com/hash-analyzer/

 

Hash Analyzer - TunnelsUP

Hash type: Bit length: Base: Example Hash Inputs 5f4dcc3b5aa765d61d8327deb882cf99MD5 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8SHA1 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8SHA256 $2a$10$N9qo8uLOickgx2ZMRZoMyeIjZAgcfl7p92ldGxad68LJZdL1

www.tunnelsup.com

1~4 : DES (Unix)

5~9 : md5crypt, MD5 (Unix)

10~13 : sha512crypt $6$, SHA512 (Unix)

 

use hashcat

hashcat.net/wiki/doku.php?id=example_hashes

 

example_hashes [hashcat wiki]

Example hashes If you get a “line length exception” error in hashcat, it is often because the hash mode that you have requested does not match the hash. To verify, you can test your commands against example hashes. Unless otherwise noted, the password

hashcat.net

combination bruteforce attack

dictonary attack

 

728x90
반응형

'CTF Write Up' 카테고리의 다른 글

dvCTF 2021 Write up  (2) 2021.03.15
BCA CTF 2021 Write up  (0) 2021.03.14
TRUST CTF 2021 write up  (0) 2021.02.28
Tenable CTF 2021 write up  (0) 2021.02.23
Union CTF 2021 Write up  (0) 2021.02.22
728x90
반응형

비트에 몸을 맡겨라!

브포 때려서 말이 되는거 찾아서 넣으면 된다.


blank

whitespace -> directory indexing -> whitespace

vii5ard.github.io/whitespace/

 

Whitelips the Whitespace IDE

Stack: Heap:

vii5ard.github.io


TRUST's math class

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
from sympy import *
from pwn import *
 
def cleaneqn(s):
    s = str(s)
    s = s.replace("b'""")
    s = s.replace("=0\\n'","")
    s = s.replace("x","*x")
    s = s.replace("y","*y")
    return s
 
def solveeqn(a1, a2): #연립방정식 풀어서 x와 y값 구하기
    x, y = symbols('x y')
    return eval("solve( [ Eq("+a1+" ,0), Eq("+a2+", 0) ], [x,y] )"#입력 형태 맞춰 넣기가 애매해서 eval함수 사용했습니다.
 
def solve_func(e):
    x, y = symbols('x y')
 
    for i in range(2):
        e[i] = cleaneqn(e[i]) #입력받은 방정식을 sympy가 입력받을 수 있는 형태로 변환
 
    ans = solveeqn(e[0], e[1]) #교점 좌표 구하기
    print(ans[x])
    return ans[x], ans[y]
 
#main
equation = ["0"]*2 #방정식을 저장하기 위함
= remote("n1net4il.xyz"31339)
p.recvuntil("===== TRUST's Math Class =====\n")
for i in range(0100):
    equation[0= p.recvline()
    equation[1= p.recvline()
    for j in range(2):
        print(equation[j])
    x, y = solve_func(equation)
    p.recvuntil(":")
    p.sendline(str(eval(str(x))))
    p.recvuntil(":")
    p.sendline(str(eval(str(y))))
 
p.interactive()
 
cs

Listen PIZ!!

pptx 파일을 zip으로 바꾸고

slide23.xml을 보면

base64 문자열이 있다.

728x90

ultimate hacking defense

vmdk 파일이 주어진다.

ftk imager로 열자

필요한 파일들은 뭘까 문제 지문을 잘 읽어보자.

 

해커가 가장 마지막으로 접속했던 웹사이트에서 해킹툴을 다운받았고, 터미널에서 TRUST 서버를 공격하기 위해 여러 명령어들을 썼다는 정보를 입수했다

마지막으로 접속한 웹사이트, 터미널

인터넷 접속 기록과 터미널 입력 기록을 살펴보면 되겠다.

 

크롬, 파폭, 웨일등의 브라우저가 설치되지 않았다.

바로 ie를 보면 되겠다.

ie 히스토리 (C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\Last Active\{7A1FA2C8-7768-11EB-94AC-001A7DDA7113}.dat)를 직접 봐도 되겠지만

ie에 마지막으로 입력한 url 기록은 NTUSER.DAT에서도 찾아볼 수 있다.

해당 파일을 추출하여 regripper을 돌려준다.

forensic.korea.ac.kr/DFWIKI/index.php/RegRipper

 

RegRipper - Digital Forensic Wikipedia

Regripper는 Harlan Carvey에서 개발한 레지스트리 분석 도구로 오픈소스로 제공된다. 최신 업데이트는 2013년 4월이며, 최신 버전은 v2.8이다. 본 항에서는 최신버전인 v2.8버전을 사용하였다. Regripper는 C

forensic.korea.ac.kr

해당 페이지에 들어가면 플래그 뒷부분을 얻을 수 있다.

 

 

이어서, 최근 문서에서 consolehost_history.txt를 볼 수 있다.

파워쉘을 사용했다는 것을 알 수 있다.

해당 파일을 찾아 추출하자

C:\Users\Devleo\AppData\Roaming\Microsoft\Windows\Powershell\PSReadLine\ConsoleHost_history.txt

플래그 앞부분 TRUST{ 를 검색하면 된다.

728x90
반응형

'CTF Write Up' 카테고리의 다른 글

BCA CTF 2021 Write up  (0) 2021.03.14
BSidesSF CTF 2021 write up  (0) 2021.03.09
Tenable CTF 2021 write up  (0) 2021.02.23
Union CTF 2021 Write up  (0) 2021.02.22
darkCON CTF 2021 write up  (0) 2021.02.21
728x90
반응형

Tenable

The ultimate mutant marvel team-up

install nessus essentials

 

import it

 

export it

 

open with xml


Forensics

H4ck3R_m4n exp0sed! 1

 

extract butter.jpg


H4ck3R_m4n exp0sed! 2

 

extract it


H4ck3R_m4n exp0sed! 3

 

use dataz

hex -> ascii -> base64 -> hex -> jpg file


Cat Taps

usb keyboard packet capture file

github.com/TeamRocketIst/ctf-usb-keyboard-parser

 

TeamRocketIst/ctf-usb-keyboard-parser

This is the updated script from https://teamrocketist.github.io/2017/08/29/Forensics-Hackit-2017-USB-ducker/ - TeamRocketIst/ctf-usb-keyboard-parser

github.com

hmm

 

abawazeeer.medium.com/kaizen-ctf-2018-reverse-engineer-usb-keystrok-from-pcap-file-2412351679f4

 

kaizen-ctf 2018 — Reverse Engineer usb keystrok from pcap file

yesterday was a great experience for me to attend all kind of joubert , one of the challenges i could not solve and understand in the…

abawazeeer.medium.com


Fix Me

There are dummy bytes between chunks.

 

Check position of dummy bytes using tweakPNG.exe

and then remove dummy bytes using HxD.

repeat.


Stego

Easy Stego

stegsolve.jar

 

stegsolve.jar


Hackerman

 


Numerological

 

3637 3639 3734 3265 3639 3666 3266 3461 3734 3461 3631 3538


Weird Transmission

ourcodeworld.com/articles/read/956/how-to-convert-decode-a-slow-scan-television-transmissions-sstv-audio-file-to-images-using-qsstv-in-ubuntu-18-04

 

How to convert (decode) a Slow-Scan Television transmissions (SSTV) audio file to images using QSSTV in Ubuntu 18.04

Learn how to convert an SSTV audio file to an image using the QSSTV in your Ubuntu 18.04 Desktop.

ourcodeworld.com


Reverse Engineering

The only tool you'll ever need


Pwntown 1

i just ran the corrdior in normal then flag was out. hmm


Crypto

Easy Peasy

base64 -> hex2ascii -> caesar cipher


Web App

Stay Away Creepy Crawlers

at ./robots.txt

728x90

Can't find it

 

flag is at a 404 not found page.


Source of All Evil


Show me what you got

directory indexing

 

flag is at ./images/alidi3sd.txt


Certificate of Authenticity

go to https://

get a certificate


Ripper Doc

./certified_rippers.php

edit cookie false to true


Headers for you inspiration


 

Spring MVC 1


Spring MVC 2


Spring MVC 3


Spring MVC 4


Spring MVC 5


Spring MVC 6


Spring MVC 7 (Hiding in Plain Sight)

./?name=please


Spring MVC 8 (Sessionable)

./other?name=admin

and go ./


Follow The Rabbit Hole

output -> hex -> png file


Misc

Esoteric

--[----->+<]>.++++++.-----------.++++++.[----->+<]>.----.---.+++[->+++<]>+.-------.++++++++++.++++++++++.++[->+++<]>.+++.[--->+<]>----.+++[->+++<]>++.++++++++.+++++.--------.-[--->+<]>--.+[->+++<]>+.++++++++.>--[-->+++<]>.

 

brainfuck

www.dcode.fr/brainfuck-language

 

Brainfuck Language - Online Decoder, Translator, Interpreter

Tool to decode/encode in Brainfuck. Brainf**k is a minimalist programmation language that takes its name from two words that refer to a kind of cerebral masturbation.

www.dcode.fr


Quit messing with my flags


Find the encoding

base58


One Byte at a Time

we know flag starts with "flag{"

then we can get xor key "0x77", "0x10", "0x02"

brute force it!


Not JSON

 

base64 to hex

 

abcdefghjiklmnopqrstuvwxyz_{} is table

index : dummy 1byte : data

05 0B 00 06 1B 12 0E 0d 1A 0E 05 1A 00 1A 01 12 0E 0D 1C

to dec

and +1


Forwards from Grandma

we can find { and } in title

morse code!

FWD: -> .

RE: -> -

# -> _


Broken QR

fix using Microsoft Paint

 

728x90
반응형

'CTF Write Up' 카테고리의 다른 글

BSidesSF CTF 2021 write up  (0) 2021.03.09
TRUST CTF 2021 write up  (0) 2021.02.28
Union CTF 2021 Write up  (0) 2021.02.22
darkCON CTF 2021 write up  (0) 2021.02.21
SecureBug CTF 2021 write up  (0) 2021.02.18

+ Recent posts