読者です 読者をやめる 読者になる 読者になる

SECON 2016 Online CTF-Write Up-

logo.png

SECCONとは・・・http://2016.seccon.jp/about/

情報セキュリティをテーマに多様な競技を開催する情報セキュリティコンテストイベントです。

SECCONオンライン予選「SECCON 2016 Online CTF」に参加してきました

この記事は「CTF Advent Calendar 2016」の13日目の記事です

今回はあまり解けていないのでそのあたりは・・・

Q.PNG

今回は解いている人が多いこの3問しか解けませんでした・・・

BiPhone(@Akashi_SN,@Snow_Poijio,@yamasy1549)で出場し、

BiPhone.PNG

300点で420位でした・・・精進します

Write Up

競技時間中に解けた問題のWrite Upを書いていきます。

Vigenere[Crypto-100pt]

Question

k: ????????????
p: SECCON{???????????????????????????????????}
c: LMIG}RPEDOEEWKJIQIWKJWMNDTSR}TFVUFWYOCBAJBQ

k=key, p=plain, c=cipher, md5(p)=f528a6ab914c1ecf856a1d93103948fe

 |ABCDEFGHIJKLMNOPQRSTUVWXYZ{}
-+----------------------------
A|ABCDEFGHIJKLMNOPQRSTUVWXYZ{}
B|BCDEFGHIJKLMNOPQRSTUVWXYZ{}A
C|CDEFGHIJKLMNOPQRSTUVWXYZ{}AB
D|DEFGHIJKLMNOPQRSTUVWXYZ{}ABC
E|EFGHIJKLMNOPQRSTUVWXYZ{}ABCD
F|FGHIJKLMNOPQRSTUVWXYZ{}ABCDE
G|GHIJKLMNOPQRSTUVWXYZ{}ABCDEF
H|HIJKLMNOPQRSTUVWXYZ{}ABCDEFG
I|IJKLMNOPQRSTUVWXYZ{}ABCDEFGH
J|JKLMNOPQRSTUVWXYZ{}ABCDEFGHI
K|KLMNOPQRSTUVWXYZ{}ABCDEFGHIJ
L|LMNOPQRSTUVWXYZ{}ABCDEFGHIJK
M|MNOPQRSTUVWXYZ{}ABCDEFGHIJKL
N|NOPQRSTUVWXYZ{}ABCDEFGHIJKLM
O|OPQRSTUVWXYZ{}ABCDEFGHIJKLMN
P|PQRSTUVWXYZ{}ABCDEFGHIJKLMNO
Q|QRSTUVWXYZ{}ABCDEFGHIJKLMNOP
R|RSTUVWXYZ{}ABCDEFGHIJKLMNOPQ
S|STUVWXYZ{}ABCDEFGHIJKLMNOPQR
T|TUVWXYZ{}ABCDEFGHIJKLMNOPQRS
U|UVWXYZ{}ABCDEFGHIJKLMNOPQRST
V|VWXYZ{}ABCDEFGHIJKLMNOPQRSTU
W|WXYZ{}ABCDEFGHIJKLMNOPQRSTUV
X|XYZ{}ABCDEFGHIJKLMNOPQRSTUVW
Y|YZ{}ABCDEFGHIJKLMNOPQRSTUVWX
Z|Z{}ABCDEFGHIJKLMNOPQRSTUVWXY
{|{}ABCDEFGHIJKLMNOPQRSTUVWXYZ
}|}ABCDEFGHIJKLMNOPQRSTUVWXYZ{

Vigenere cipher

https://en.wikipedia.org/wiki/Vigen%C3%A8re_cipher

Answer

問題文とヒントのリンクからわかるようにこれはVigenere暗号だな~とわかる

http://elliptic-shiho.hatenablog.com/entry/2015/11/12/041637

ここのサイトを参考にした

鍵の前7文字はわかるのであとの5文字つまりlog(28^5)=7.15と全探索できそうなので鍵を全探索するコードを書く

#!/usr/bin/env python
import hashlib

Base = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ{}'
key = ""
Cipher = "LMIG}RPEDOEEWKJIQIWKJWMNDTSR}TFVUFWYOCBAJBQ"
KnownPlain = "SECCON{"
Plain = ""
Md5_Plain = "f528a6ab914c1ecf856a1d93103948fe"

for i in range(len(KnownPlain)):
    Index_Of_KnownPlain = Base.find(KnownPlain[i])
    Index_Of_Cipher = Base.find(Cipher[i])
    Index_Of_key = Index_Of_KnownPlain - Index_Of_Cipher
    key += Base [-Index_Of_key]
print("key:{}".format(key))

Allkey = [x+y+z+a+b for x in Base for y in Base for z in Base for a in Base for b in Base]
j = 0
for k in Allkey:
    Plain = ""
    for i in range(len(Cipher)):
        Index_Of_Cipher = Base.find(Cipher[i])
        genKey = key+k
        Index_Of_Key = Base.find(genKey[i%12])
        Index_Of_Plain = Index_Of_Cipher - Index_Of_Key
        Plain += Base[Index_Of_Plain]
        j+=1
        if j%1000000 == 0:
            print("{} Times".format(j))
    if hashlib.md5(Plain.encode('utf8')).hexdigest() == Md5_Plain:
        print("Find!!!! ...{} Times")
        print(Plain)
        break
$ python3 Vigenere.py
key:VIGENER
10000000 Times
20000000 Times
30000000 Times
40000000 Times
50000000 Times
60000000 Times
70000000 Times
80000000 Times
90000000 Times
100000000 Times
Find!!!! ...108084499 Times
SECCON{ABABABCDEDEFGHIJJKLMNOPQRSTTUVWXYYZ}

1分ぐらいでフラグが出てくる

VoIP[Forensics-100pt]

Question

VoIP
Extract a voice.
The flag format is SECCON{[A-Z0-9]}.

voip.pcap

Answer

Ip電話のパケットのようなので、Wireshark電話(y)→VoIP通話(V)→ストリーム再生で音声を聞ける。

Vの発音がわからず苦労した

FLAG:SECCON{9001IVR}

Memory Analysis[Forensics-100pt]

Question

Find the website that the fake svchost is accessing.
You can get the flag if you access the website!!

The challenge files are huge, please download it first. 
Hint1: http://www.volatilityfoundation.org/
Hint2: Check the hosts file

password: fjliejflsjiejlsiejee33cnc 

memoryanalysis.zip

Answer

http://www.volatilityfoundation.org/のメモリダンプの解析ソフトを使ってやる

https://github.com/volatilityfoundation/volatility/wiki/Volatility-Usage ドキュメント

volatility-2.5.standalone.exe -f forensic_100.raw imageinfo
Volatility Foundation Volatility Framework 2.5
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86)
                     AS Layer1 : IA32PagedMemoryPae (Kernel AS)
                     AS Layer2 : FileAddressSpace (D:\SECCON-2016-Online-CTF\Forensics\100\Memory Analysis\memoryanalysis\forensic_100.raw)
                      PAE type : PAE
                           DTB : 0x34c000L
                          KDBG : 0x80545ce0L
          Number of Processors : 1
     Image Type (Service Pack) : 3
                KPCR for CPU 0 : 0xffdff000L
             KUSER_SHARED_DATA : 0xffdf0000L
           Image date and time : 2016-12-06 05:28:47 UTC+0000
     Image local date and time : 2016-12-06 14:28:47 +0900

どうやらWinXPのメモリダンプらしい

プロセス一覧

volatility-2.5.standalone.exe -f forensic_100.raw psscan
Volatility Foundation Volatility Framework 2.5
Offset(P)          Name                PID   PPID PDB        Time created                   Time exited
------------------ ---------------- ------ ------ ---------- ------------------------------ ------------------------------
0x0000000001805d40 disable_outdate    1376   1928 0x09480360 2016-10-26 09:44:04 UTC+0000   2016-10-26 09:44:04 UTC+0000
0x00000000018dc630 tcpview.exe        2844   1464 0x09480320 2016-12-06 05:13:57 UTC+0000   2016-12-06 05:26:18 UTC+0000
0x0000000001bb4380 tcpview.exe        3308   1556 0x091c0360 2016-12-06 05:28:42 UTC+0000
0x0000000001c18020 smss.exe            540      4 0x091c0020 2016-12-06 05:27:04 UTC+0000
0x0000000001c309e8 vmtoolsd.exe       1820    676 0x04c00260 2016-10-25 10:17:40 UTC+0000   2016-10-26 09:05:05 UTC+0000
0x0000000002018da0 svchost.exe         848    672 0x091c00e0 2016-12-06 05:27:08 UTC+0000
0x0000000002041928 svchost.exe        1320    672 0x091c0180 2016-12-06 05:27:10 UTC+0000
0x000000000204b4b0 vmtoolsd.exe        312    672 0x091c02a0 2016-12-06 05:27:13 UTC+0000
0x000000000204f560 svchost.exe        1704    672 0x091c0200 2016-12-06 05:27:10 UTC+0000
0x0000000002056228 wscntfy.exe         720   1036 0x091c03a0 2016-12-06 05:27:18 UTC+0000
0x00000000020886f0 GoogleUpdate.ex     372   1984 0x091c02c0 2016-12-06 05:27:13 UTC+0000
0x0000000002089200 wmiprvse.exe        596    848 0x091c0340 2016-12-06 05:27:13 UTC+0000
0x00000000020f6da0 csrss.exe           604    540 0x091c0040 2016-12-06 05:27:07 UTC+0000
0x0000000002100558 VGAuthService.e     196    672 0x091c0280 2016-12-06 05:27:13 UTC+0000
0x000000000210dbe0 spoolsv.exe        1644    672 0x091c01e0 2016-12-06 05:27:10 UTC+0000
0x000000000212cb20 wuauclt.exe        3164   1036 0x091c01a0 2016-12-06 05:28:15 UTC+0000
0x0000000002146238 alg.exe            2028    672 0x091c0380 2016-12-06 05:27:16 UTC+0000
0x0000000002165da0 svchost.exe        1776    672 0x091c0220 2016-12-06 05:27:10 UTC+0000
0x000000000218c9a0 lsass.exe           684    628 0x091c00a0 2016-12-06 05:27:07 UTC+0000
0x0000000002192778 svchost.exe        1088    672 0x091c0140 2016-12-06 05:27:08 UTC+0000
0x0000000002262b20 wuauclt.exe         488   1036 0x091c02e0 2016-12-06 05:27:13 UTC+0000
0x0000000002351ca8 svchost.exe         936    672 0x091c0100 2016-12-06 05:27:08 UTC+0000
0x0000000002354880 vmacthlp.exe        836    672 0x091c00c0 2016-12-06 05:27:08 UTC+0000
0x000000000236a5e8 DumpIt.exe         3740   1556 0x091c0320 2016-12-06 05:28:46 UTC+0000
0x000000000236e670 services.exe        672    628 0x091c0080 2016-12-06 05:27:07 UTC+0000
0x0000000002370da0 ctfmon.exe         1872   1556 0x091c0160 2016-12-06 05:27:11 UTC+0000
0x0000000002373da0 winlogon.exe        628    540 0x091c0060 2016-12-06 05:27:07 UTC+0000
0x00000000023f8438 vmtoolsd.exe       1856   1556 0x091c0240 2016-12-06 05:27:11 UTC+0000
0x000000000245bda0 IEXPLORE.EXE        380   1776 0x091c03c0 2016-12-06 05:27:19 UTC+0000
0x0000000002467900 rundll32.exe       1712   1556 0x091c0260 2016-12-06 05:27:16 UTC+0000
0x000000000249f7e8 IEXPLORE.EXE       1080    380 0x091c0300 2016-12-06 05:27:21 UTC+0000
0x0000000002512450 svchost.exe        1036    672 0x091c0120 2016-12-06 05:27:08 UTC+0000
0x000000000251f698 explorer.exe       1556   1520 0x091c01c0 2016-12-06 05:27:10 UTC+0000
0x00000000025c8660 System                4      0 0x0034c000

ニセのsvchostがアクセスしてるサイトを見つける

次にすべてのsvchostダンプする

volatility-2.5.standalone.exe -f forensic_100.raw procdump -D dump/ -p 936
Volatility Foundation Volatility Framework 2.5
Process(V) ImageBase  Name                 Result
---------- ---------- -------------------- ------
0x82151ca8 0x01000000 svchost.exe          OK: executable.936.exe

>volatility-2.5.standalone.exe -f forensic_100.raw procdump -D dump/ -p 1704
Volatility Foundation Volatility Framework 2.5
Process(V) ImageBase  Name                 Result
---------- ---------- -------------------- ------
0x81e4f560 0x01000000 svchost.exe          OK: executable.1704.exe

>volatility-2.5.standalone.exe -f forensic_100.raw procdump -D dump/ -p 848
Volatility Foundation Volatility Framework 2.5
Process(V) ImageBase  Name                 Result
---------- ---------- -------------------- ------
0x81e18da0 0x01000000 svchost.exe          OK: executable.848.exe

>volatility-2.5.standalone.exe -f forensic_100.raw procdump -D dump/ -p 1776
Volatility Foundation Volatility Framework 2.5
Process(V) ImageBase  Name                 Result
---------- ---------- -------------------- ------
0x81f65da0 0x00400000 svchost.exe          OK: executable.1776.exe

>volatility-2.5.standalone.exe -f forensic_100.raw procdump -D dump/ -p 1320
Volatility Foundation Volatility Framework 2.5
Process(V) ImageBase  Name                 Result
---------- ---------- -------------------- ------
0x81e41928 0x01000000 svchost.exe          OK: executable.1320.exe

>volatility-2.5.standalone.exe -f forensic_100.raw procdump -D dump/ -p 1088
Volatility Foundation Volatility Framework 2.5
Process(V) ImageBase  Name                 Result
---------- ---------- -------------------- ------
0x81f92778 0x01000000 svchost.exe          OK: executable.1088.exe

>volatility-2.5.standalone.exe -f forensic_100.raw procdump -D dump/ -p 1036
Volatility Foundation Volatility Framework 2.5
Process(V) ImageBase  Name                 Result
---------- ---------- -------------------- ------
0x82312450 0x01000000 svchost.exe          OK: executable.1036.exe
dump$ file *
executable.1036.exe: PE32 executable (GUI) Intel 80386, for MS Windows
executable.1088.exe: PE32 executable (GUI) Intel 80386, for MS Windows
executable.1320.exe: PE32 executable (GUI) Intel 80386, for MS Windows
executable.1704.exe: PE32 executable (GUI) Intel 80386, for MS Windows
executable.1776.exe: PE32 executable (console) Intel 80386, for MS Windows
executable.848.exe:  PE32 executable (GUI) Intel 80386, for MS Windows
executable.936.exe:  PE32 executable (GUI) Intel 80386, for MS Windows

executable.1776.exeだけ違うので、

$ strings executable.1776.exe | grep http
C:\Program Files\Internet Explorer\iexplore.exe http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd

何かアクセスしようとしてる・・・

Hint2: Check the hosts fileらしいので、

volatility-2.5.standalone.exe -f forensic_100.raw filescan | grep hosts
Volatility Foundation Volatility Framework 2.5
0x000000000217b748      1      0 R--rw- \Device\HarddiskVolume1\WINDOWS\system32\drivers\etc\hosts

あった!ダンプしてみよう!

volatility-2.5.standalone.exe -f forensic_100.raw dumpfiles -D output/ -Q 0x000000000217b748
Volatility Foundation Volatility Framework 2.5
DataSectionObject 0x0217b748   None   \Device\HarddiskVolume1\WINDOWS\system32\drivers\etc\hosts
cat file.None.0x819a3008.dat
# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

127.0.0.1       localhost
153.127.200.178    crattack.tistory.com

どうやらcrattack.tistory.comにアクセスしようとすると153.127.200.178にアクセスしてしまうよう

つまりhttp://153.127.200.178/entry/Data-Science-import-pandas-as-pdにアクセスすれば良さそう

するとファイルがダウンロードされるので表示するとフラグが手に入る

FLAG:SECCON{_h3110_w3_h4ve_fun_w4rg4m3_}

感想

ほんとにまだまだということがわかったので精進します・・・