[세종 CTF/250] Private Torrent

Posted by nopsled
2016.04.07 15:13 문제풀이



처음 바이너리 받고 확인하면 PK 포맷으로 ZIP파일인걸 알게 됩니다.





토렌트파일인거 확인.






다운 받으려 했지만 불가능.. 트래커 서버가 onion이다...


Tor 브라우저와 토렌트 연결해주어야 사용 가능..인포해쉬나 peer_id 같은거 알면 그냥 밑에 그대로 진행하심 됩니더



::1 - - [02/Apr/2016:16:33:12 +0900] "GET http://ovmqomeprulxo35z.onion/announce.php?info_hash=1%03%86%f8e%f9%159%20%d9%cfn%d3DT%21%efA%88%3b&peer_id=-UM1870-C%a3G%c3V%60bY%8c%dc%0e%e4&port=24874&uploaded=0&downloaded=0&left=73&corrupt=0&key=7305D41C&event=started&numwant=200&compact=1&no_peer_id=1&ipv6=fe80%3a%3a82e6%3a50ff%3afe0f%3a8bac HTTP/1.1" 404 210 "-" "uTorrentMac/1870(41795)"


- 아파치 로그 확인하면 저런 로그가 찍혀 있는데 저거 그대로 복사해서 들어가면 된다. 저기로 들어가주자.




bencode 형식으로 인코딩된 키인데 디코딩 해주면 된다. 해줄 필요도 없긴한데 그냥 해준다.


디코딩하면 json방식 이므로~


>>> print bencode.bdecode('d16:R4sc4l123_is_g0d3:keye')

{'R4sc4l123_is_g0d': 'key'}


사실 R4sc4l123_is_g0d3이거 열심히 입력했는데 R4sc4l123_is_g0d였다..



Thanks to @이상섭

저작자 표시 비영리
신고

[세종 CTF/250] Simple_Calculation

Posted by nopsled
2016.04.07 15:13 문제풀이

Just calculate 60 times! nc 203.250.148.100 31062



60번의 시도로 계산하랍니다. 그냥 간단한 코딩 MISC문제..


코드는 더러워도 이해해주세요.ㅋㅋ




calc.py



import socket, time

def calc(answer):

    operator = ['+','-','*','/','&','|','^']

    test = []

    for i in range(0, len(answer)):

        if not answer[i] in operator:

            test.append(answer[i])

        else:

            if answer[i] == '+':

                test.append(answer[i].replace('+','-'))

            elif answer[i] == '-':

                test.append(answer[i].replace('-', '+'))

            elif answer[i] == '*':

                test.append(answer[i].replace('*', '/'))

            elif answer[i] == '/':

                test.append(answer[i].replace('/', '*'))

            elif answer[i] == '&':

                test.append(answer[i].replace('&', '^'))

            elif answer[i] == '|':

                test.append(answer[i].replace('|', '&'))

            elif answer[i] == '^':

                test.append(answer[i].replace('^','|'))

    return ''.join(test)


s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

s.connect(('203.250.148.100' , 31062))


print s.recv(1024) # Lovely Calculation!

s.send('d') # Enter Game


print s.recv(1024) # Two Game

s.send('Myeong\n') # Enter Game


print s.recv(1024)


s.send('\n') # press any key


for i in range(0, 60):

    response = s.recv(1024)

    print response,

    answer = response.split('\r\n')[0].split(' : ')[1]

    answer = calc(answer)

    print str(eval(answer)) + '\t\t' + answer

    s.send(str(eval(answer))+'\r\n')

    time.sleep(1)

print s.recv(1024)

print s.recv(1024)



nopsled@smleeo3o:~/Desktop (=ω´=)$ python test.py

Lovely Calculation!


This problem includes 60 rounds.


Specific Info.

1.Each round has 3 sec. time limit. And all of the answers will be INTEGER ONLY!

2.From round 1 to round 20, there will be less than 5 numbers that you should calculate. The operators will be +,-,*,%.

3.From round 21 to round 40, there will be more than 5 numbers that you should calculate. Also, the equation can have parenthesis. The operators will basically same as round 1 to 20.

4.From round 41 to round 60, there will be more than 10 numbers that you should calculate. Also, the equation can have parenthesis and &,|,^ operator. It follows the standard C language's operator precedence.

5.The operators are little bit different. + -> -, - -> +, * -> /, / -> *, & -> ^, | -> &, ^ -> |


What is your name? :

Have Fun!(Press Any Key)


Round 1 : 7+5*7%1

Answer :  7 7-5/7%1

Round 2 : 2/1+4-2

Answer :  0 2*1-4+2

Round 3 : 4+5%3

Answer :  2 4-5%3

Round 4 : 1%6-8+3

Answer :  6 1%6+8-3

Round 5 : 4+6

Answer :  -2 4-6

Round 6 : 2%6

Answer :  2 2%6

Round 7 : 8+7

Answer :  1 8-7

Round 8 : 9+8

Answer :  1 9-8

Round 9 : 7+9

Answer :  -2 7-9

Round 10 : 5-8

Answer :  13 5+8

Round 11 : 4%1+5+7

Answer :  -12 4%1-5-7

Round 12 : 9/1

Answer :  9 9*1

Round 13 : 2/4+1

Answer :  7 2*4-1

Round 14 : 9%1*4%4

Answer :  0 9%1/4%4

Round 15 : 5-4+4%2

Answer :  9 5+4-4%2

Round 16 : 8%5*2+3

Answer :  -2 8%5/2-3

Round 17 : 8-5

Answer :  13 8+5

Round 18 : 2+1

Answer :  1 2-1

Round 19 : 6*3

Answer :  2 6/3

Round 20 : 1+2+8+7

Answer :  -16 1-2-8-7

Round 21 : (4*1-7+5)-1*1*2

Answer :  6 (4/1+7-5)+1/1/2

Round 22 : 1*1+4+9*2

Answer :  -7 1/1-4-9/2

Round 23 : 7-9/5+1/8+1*4-1%3

Answer :  45 7+9*5-1*8-1/4+1%3

Round 24 : 1*7/1+2%4

Answer :  -2 1/7*1-2%4

Round 25 : 1*1*4*2+7*3%1*7

Answer :  0 1/1/4/2-7/3%1/7

Round 26 : 7*7*1-7-3

Answer :  11 7/7/1+7+3

Round 27 : 5+8*7-4/8-4-9+1

Answer :  48 5-8/7+4*8+4+9-1

Round 28 : 1+1/1+1*4

Answer :  0 1-1*1-1/4

Round 29 : 8*3%1+8+3-9+1+7

Answer :  -10 8/3%1-8-3+9-1-7

Round 30 : 6-1/1/1+4

Answer :  3 6+1*1*1-4

Round 31 : 3+4+5-4*1%7+2+7

Answer :  -11 3-4-5+4/1%7-2-7

Round 32 : 3+4/1+8-3/7/4/2*8

Answer :  12 3-4*1-8+3*7*4*2/8

Round 33 : 7*4*6*7+1+9

Answer :  -10 7/4/6/7-1-9

Round 34 : 1+7%1%8%6+9+1

Answer :  -9 1-7%1%8%6-9-1

Round 35 : 4-6+5%4-7*1

Answer :  16 4+6-5%4+7/1

Round 36 : 1-7%1/9-4*8/1

Answer :  1 1+7%1*9+4/8*1

Round 37 : 3%1+5%1+6*1+7*1+5

Answer :  -18 3%1-5%1-6/1-7/1-5

Round 38 : 3-8/4+3+9

Answer :  23 3+8*4-3-9

Round 39 : 1/9-6+7/1-1+2-2/8

Answer :  23 1*9+6-7*1+1-2+2*8

Round 40 : 6+3%8+1-6

Answer :  8 6-3%8-1+6

Round 41 : 8+7|(7-1)+4|7^5*4

Answer :  1 8-7&(7+1)-4&7|5/4

Round 42 : 3|8%2-7%4

Answer :  3 3&8%2+7%4

Round 43 : 1^3+7-4%6+3+7+3

Answer :  -13 1|3-7+4%6-3-7-3

Round 44 : 1%9+1-5+3

Answer :  2 1%9-1+5-3

Round 45 : 7+5+4-5|9/1+9^4

Answer :  4 7-5-4+5&9*1-9|4

Round 46 : 3+8+1+7|6+1%1%2%8

Answer :  2 3-8-1-7&6-1%1%2%8

Round 47 : 1&4+3%2*1+1

Answer :  3 1^4-3%2/1-1

Round 48 : 1+6+1^6^8&1%1+1+9

Answer :  -2 1-6-1|6|8^1%1-1-9

Round 49 : 3/5+9*1+4/3

Answer :  -6 3*5-9/1-4*3

Round 50 : 4%1+7^7+8^4%4

Answer :  -1 4%1-7|7-8|4%4

Round 51 : 5-9%1+7-6+9

Answer :  -5 5+9%1-7+6-9

Round 52 : 3+1+2*8^4*9*4%1%7

Answer :  2 3-1-2/8|4/9/4%1%7

Round 53 : 4*7|1|3%3+5-4+4*1

Answer :  0 4/7&1&3%3-5+4-4/1

Round 54 : 1+7*7|6+9

Answer :  0 1-7/7&6-9

Round 55 : 3%1^4/7/2+1%1%1

Answer :  56 3%1|4*7*2-1%1%1

Round 56 : 8+5^6/8/4

Answer :  195 8-5|6*8*4

Round 57 : 4^1*2|8%9*1+3+9

Answer :  4 4|1/2&8%9/1-3-9

Round 58 : 1+4*1|7^1

Answer :  5 1-4/1&7|1

Round 59 : 7+1^3%1%6^2^3%5

Answer :  7 7-1|3%1%6|2|3%5

Round 60 : 2-9^4+1*1

Answer :  11 2+9|4-1/1

Congrats! You've cleared whole probs!

The key is on https://www.youtube.com/watch?v=NQlnVVQbpi0 




네 넘나 이쁘고 귀여워서 문제 만든분께 감사합니다.


Thanks to @sup3rv1s0r

저작자 표시 비영리
신고

[세종 CTF/109] 당신은 Robots 입니까?

Posted by nopsled
2016.04.07 15:12 문제풀이



첫 메인 접속시 로봇이냐고 물어본다.


공격 벡터도 없고 생각좀 하다가 robots.txt가 생각나서 들어가봤다.




SSG_Browser만 접근가능하게끔 되어 있고..




SSG_Browser로 바꿔서 들어가면 위와 같은 인증창이 나오는데 페이지 소스를 본다.




eval코드를 복호화하면 다음과 같은 코드가 나온다.




POST로 값을 보낸다.



a를 보냈을때 리스폰값에 -5가 붙어 있고



4를 넣었을때 -5가 사라진다.


사이드채널어택이나 타이밍 어택으로 보고 코딩시작~




robots.py




# -*- coding: utf8 -*-

import requests

alphabet = 'abcdefghijklmnopqrstuvwxyz01234567890'

answer = []

while True:

    find = False

    for i in range(0, len(alphabet)):

        data = {'a':''.join(answer)+alphabet[i]}

        res = requests.post('http://sandbox.smishing.kr:32810/post.php', data=data,headers={'User-Agent':'SSG_Browser'}).content

        if res.find('-5') == -1:

            answer.append(alphabet[i])

            find = True

            print ''.join(answer)

            break


    if find == False: break

print 'Key : ' + ''.join(answer)

print '----- webdata -----'

data = {'a':''.join(answer)}

res = requests.post('http://sandbox.smishing.kr:32810/post.php', data=data,headers={'User-Agent':'SSG_Browser'}).content

print res 





유니코드로 출력해주면 끝.


결론은 앙 주난띠!



Thanks to @이준환, @최인준

저작자 표시 비영리
신고

티스토리 툴바