[LINUX] Beginning with CTF


It's getting colder, is not it? How are you all doing? I have a cold. Nice to meet you. This is the first year of Pika Pika, who joined the company as a new employee from this year. The other day I got a bonus from the company and went shopping at an outlet mall. I bought a sweatshirt for 60,000 yen. I don't regret it because it was 60,000 yen with 60% off.

Well, this time, I will write an article for the first time by borrowing the place of the Advent calendar. I didn't have the courage or motivation to write until now, but I was invited to synchronize and it was my birthday on December 10th, so I decided to write it thinking that this is auspicious! did. I was wondering what article to write, but when I saw the articles of my predecessors, I came up with the idea.

In the division I belong to, my boss is like CTF (Capture The Flag) as written in Article on the 3rd day. It seems that an in-house SE engineer contest is being held. The winning team has also been commended, and I thought it was a very good event. Therefore, I wanted new employees (especially those who haven't touched IT so much) to participate, so CTF is fun !! I decided to write an article. By the way, this is my first time to solve the CTF problem. It was fun to try and I hope you'll be interested in this article.

CTF is what

As mentioned above, CTF is an abbreviation for Capture The Flag, which is like a so-called treasure hunt. If you are a FPS player, you can easily imagine it. [Wikipedia](https://ja.wikipedia.org/wiki/%E3%82%AD%E3%83%A3%E3%83%97%E3%83%81%E3%83%A3%E3%83 % BC% E3% 83% BB% E3% 82% B6% E3% 83% BB% E3% 83% 95% E3% 83% A9% E3% 83% 83% E3% 82% B0) I am. There are two patterns of CTF, one is to solve a given problem and the other is to compete separately on the attacking side and the defending side in the same environment. In this article, we will mainly explain the format for solving problems. There are various forms of problems, and answers are given using methods such as deciphering a given ciphertext, extracting information from a large amount of data, and exploiting software vulnerabilities to enable viewing of pages that cannot be viewed. I will find out. This answer is called a flag in CTF, and it feels like participants are looking for a flag. I feel like I'm a hacker. In the contest, multiple questions like the above will be asked, and if you find the flag, you will get points. Then, they compete for the highest score, and finally the team with the highest score wins. There are many genres, and you can solve any problem. If it's a team battle, it's also an ant to divide the members according to their specialty and challenge.

I mentioned earlier that there are a wide variety of genres, but the main genres are as follows.

Before practicing CTF

In Japan, [law](https://ja.wikipedia.org/wiki/%E4%B8%8D%E6%AD%A3%E3%82%A2%E3%82%AF%] E3% 82% BB% E3% 82% B9% E8% A1% 8C% E7% 82% BA% E3% 81% AE% E7% A6% 81% E6% AD% A2% E7% AD% 89% E3% You may be punished by 81% AB% E9% 96% A2% E3% 81% 99% E3% 82% 8B% E6% B3% 95% E5% BE% 8B). Unauthorized access refers to the act of an unauthorized access by a person who originally does not have access authority to attack the system. Please be aware that if you access the world indiscriminately, you will be caught in the law.

pwn Originally, pwn is a slang derived from the typo of "own", and it is sometimes called "pwnable". pwn is a genre that exploits program vulnerabilities to find flags.

Stack buffer overflow

This article describes how to solve the simplest stack buffer overflow in the pwn problem.



void overflow(char *input){
    char buf[16];
    int secret = 0;
    strcpy(buf, input);

    if(secret == 0x45444342){
        system("cat answer.txt");
        printf("Secret code is %x\n", secret);

int main(int argc, char **argv){
    if(argc > 1){
    return 0;

If the value of secret is 0x45444342, it seems that the answer is output from answer.txt. However, the value of secret contains 0 and is not changed. If you try it for the time being

$ ./overflow "A"
Secret code is 0

The above output will be output. So how do you rewrite the value of secret? Use stack buffer overflow here. Buffer overflow is the rewriting of data that exceeds the memory area reserved in advance. In this case, if ʻinput is larger than buf`, the excess memory will be rewritten. For example

$ ./overflow "AAAAAAAAAAAAAAAA" #16 A
Secret code is 0
$ ./overflow "AAAAAAAAAAAAAAAAA" #17 A
Secret code is 41

When 16 A's are passed, the value of secret has not changed, but when 17 A's are passed, a buffer overflow occurs and the value of secret is rewritten to 41. Where 41 is the ASCII code value for ʻA. In other words, values of 16 bytes or less are stored in buf, and values of 17 bytes or more cause overflow and secretis rewritten. Now, the value ofsecret should be 0x45444342, and if you are familiar with it, you may notice that the ASCII code of B is 42, the ASCII code of C` is 43, and so on. If you enter while paying attention to the address storage method called endian,

ctf{It's overflow.}

I was able to extract the flag. At first, pwn may seem difficult, but as you get used to it, you can take the shell and feel like a hacker (?), So I think there is an element of replay.

Crypto Crypto means cryptography, and as the name suggests, questions related to cryptography are asked. If you are familiar with it, there is a Caesar cipher. I would like to solve the problem while explaining below.

Caesar Suppose you have the following ciphertext: synt_jrypbzr_gb_pgs This is the original plaintext encrypted using the Caesar cipher. Caesar cipher is a method of generating ciphertext by shifting plaintext by n characters in alphabetical order. Generally, n = 13, so this time it is shifted by 13 characters. In other words, the ordinary alphabet ABCDEFGHIJKLMNOPQRSTUVWXYZ On the other hand, if you use Caesar cipher NOPQRSTUVWXYZABCDEFGHIJKLM It means that. Therefore, you can get the answer by reverting the given characters to 13 characters. For the time being, the code that can be restored to 13 characters is described below (it is very suitable, but ...).


crypto = 'synt_jrypbzr_gb_pgs'
caesar = 13
plain = ''

for char in list(crypto):
    ASCII = ord(char)
    if char != '_':
        num = ASCII - 97
        num = (num - caesar) % 26
        ASCII = num + 97
    plain += chr(ASCII)


The result was flag_welcome_to_ctf. It looks like that.

Reversing Also known as binary parsing. Binary refers to the format represented by "0" and "1" so that the computer can recognize it. Since we cannot read what is represented only by 0s and 1s, there is a method called disassembly, which translates into a language that is more human-friendly. You can use it to analyze computer behavior and get flags by making inputs that meet the criteria. In general, Reversing seems to gain some power when pwn becomes possible. I will study for a moment.

Web There are various types of Web problems, such as SQL injection, which is a problem of logging in by making a slight twist in the input form of a Web page, and RCE (Remote Code Execution), which is a problem of executing code remotely. There is a problem like getting the flag.

SQL injection

Here, I will solve the problem using SQL injection. I would like to quote the problem from ksnctf, a site where you can practice CTF. Here, we will solve only the introductory part of the problem Login. When I move to the page, it says that I should log in as admin. スクリーンショット 2019-12-09 2.23.29.png Normally, you wouldn't know the password for admin, but if this site has a vulnerability called SQL injection, you can log in without knowing the password. Let's talk a little bit about SQL injection. For example, this SQL statement SELECT * FROM user WHERE id='$id' AND pass='$pass' Suppose it was. At this time, enter $ id and $ pass, but if you enter ʻadmin in $ idand'or 1 = 1 -- in $ pass, the admin user information Can be extracted. Applying it to the above SQL statement, SELECT * FROM user WHERE id='admin' AND pass=' ' or 1=1 --' It is that. I would like you to pay attention to thepass part, but the pass character string is determined by using whitespace characters and quotation marks'. This conditional expression itself doesn't make much sense. The reason is that the latter 1 = 1is all true. And by usingpass ='''or 1 = 1 and the logical operator ʻor, everything is true even if pass does not match the password of ʻadmin. The final --` means commented out, assuming that there were no subsequent SQL statements. スクリーンショット 2019-12-10 1.05.50.png Then, when I try to fill in the input form as above ... スクリーンショット 2019-12-10 1.06.04.png Moves to the next screen. The problem itself will continue for the time being, but this time I will leave it here. For more information, please refer to this article. By the way, スクリーンショット 2019-12-10 1.06.21.png You can still log in. Think about the reason.

Network There are two main types of network problems in CTF. The first is the problem of parsing a file that contains what is called a packet, which flows during network communication. The file that contains the packet is called a pcap file, and the flag is acquired by parsing it. The other is the problem of accessing the server and getting the flag. It accesses the server based on the IP address and packet given in advance and acquires the flag. This time I would like to introduce the first problem of packet analysis.

Packet analysis

This time we will analyze the pcap file used in CTF for Beginners 2015. Problem file is here. First, the packet is analyzed using software called Wireshark. Wireshark is software that can analyze packets, and it records the contents such as when, who communicated with what protocol. The installation method of Wireshark is omitted here. After installing Wireshark, open the pcap file with Wireshark. When you open it, you will see the following state. スクリーンショット 2019-12-09 0.30.59.png You should see a list of packets, detailed information about the packet, and the binary data in the packet. I'm looking for a suspicious place from here, but if you look at the protocol, you can see that a file transfer protocol called FTP is used. Actually, the title of this problem is "File Transfer Protocol", so it seems like you should look there as a hint. Since we decided to focus on FTP, let's filter other than FTP communication for the time being. Now, as shown in the image below, enter "ftp or ftp-data" in the "Apply display filter" section of the window and press the Enter key. Then, only the communication used for FTP communication will be output to the screen. スクリーンショット 2019-12-09 0.36.55.png Although not explained in detail, "ftp" represents control communication for actual FTP communication, and "ftp-data" represents data communication.

Next, look at the column called Info on the far right of the packet list. It may be difficult to read all of this, but after logging in to the FTP server, send a request "Please give me the data of 1.txt, 2.zip and 3.txt" and transfer the data to it. You can see that it is. スクリーンショット 2019-12-09 0.58.47.png Therefore, if you look at the contents of 1.txt, 2.zip, and 3.txt, you can guess that the answer or hint is written. It's easy to read the contents of 1.txt and 3.txt. There is "Line-based text data (1 lines)" in the packet details. When I open this ... スクリーンショット 2019-12-09 0.11.12.png Something like a flag came out. In 1.txt, it was described as "ctf4b {This_communication_is", and in 3.txt, it was described as "\ _encrypted.}" (Please check 3.txt by yourself). Finally, let's check 2.zip. However, the contents are not described in 2.zip. So let's download this zip file locally. 2. Right-click the FTP-DATA containing the zip and click "Tracking-> TCP Stream". This is a function that displays only the communication content (TCP session in this case) related to the specified packet. Now try converting from ASCII format to Raw format and saving it locally, as shown in the image below. If you save the file in ASCII format, the expanded file will be in binary type. After saving, unzip the zip file and look at the contents, it says "\ _not". Therefore, the correct answer for this question is "ctf4b {This_communication_is_not_encrypted.}". Certainly it wasn't encrypted.


How was it. The problem I posted in this article was rather easy, so I think that even new employees who joined the company from this year could understand it to some extent. There are many more difficult problems in the world, and if you can solve those problems, you may catch the eye of a great man. I hope the barriers to the contest can be lowered as much as possible. For the time being, the sites that can solve CTF problems and the references that can be used as reference are listed below.

Practice site


-Security Contest Challenge Book Let's Learn with CTF! How to fight to protect information -CTF Problem Collection for Security Contest

Also, there are explanations called write ups scattered on the net, so I think it will be helpful to take a look at them. I think we will hold a contest again this year, so I would like to participate as well. Why don't you join us?

Recommended Posts

Beginning with CTF
Beginning with Selenium
Beginning with PyTorch
Beginning with Python machine learning