# Introduction

It's getting colder, is not it? How are you all doing? I have a cold. Nice to meet you. This is the first year of Pika Pika, who joined the company as a new employee from this year. The other day I got a bonus from the company and went shopping at an outlet mall. I bought a sweatshirt for 60,000 yen. I don't regret it because it was 60,000 yen with 60% off.

Well, this time, I will write an article for the first time by borrowing the place of the Advent calendar. I didn't have the courage or motivation to write until now, but I was invited to synchronize and it was my birthday on December 10th, so I decided to write it thinking that this is auspicious! did. I was wondering what article to write, but when I saw the articles of my predecessors, I came up with the idea.

In the division I belong to, my boss is like CTF (Capture The Flag) as written in Article on the 3rd day. It seems that an in-house SE engineer contest is being held. The winning team has also been commended, and I thought it was a very good event. Therefore, I wanted new employees (especially those who haven't touched IT so much) to participate, so CTF is fun !! I decided to write an article. By the way, this is my first time to solve the CTF problem. It was fun to try and I hope you'll be interested in this article.

# CTF is what

As mentioned above, CTF is an abbreviation for Capture The Flag, which is like a so-called treasure hunt. If you are a FPS player, you can easily imagine it. [Wikipedia](https://ja.wikipedia.org/wiki/%E3%82%AD%E3%83%A3%E3%83%97%E3%83%81%E3%83%A3%E3%83 % BC% E3% 83% BB% E3% 82% B6% E3% 83% BB% E3% 83% 95% E3% 83% A9% E3% 83% 83% E3% 82% B0) I am. There are two patterns of CTF, one is to solve a given problem and the other is to compete separately on the attacking side and the defending side in the same environment. In this article, we will mainly explain the format for solving problems. There are various forms of problems, and answers are given using methods such as deciphering a given ciphertext, extracting information from a large amount of data, and exploiting software vulnerabilities to enable viewing of pages that cannot be viewed. I will find out. This answer is called a flag in CTF, and it feels like participants are looking for a flag. I feel like I'm a hacker. In the contest, multiple questions like the above will be asked, and if you find the flag, you will get points. Then, they compete for the highest score, and finally the team with the highest score wins. There are many genres, and you can solve any problem. If it's a team battle, it's also an ant to divide the members according to their specialty and challenge.

I mentioned earlier that there are a wide variety of genres, but the main genres are as follows.

• pwn
• Crypto
• Reversing
• Web
• Network --misc (Other problems) I would like to explain the above five genres other than Reversing with problems (I do not understand Reversing myself, and it is difficult for beginners to understand ...). Also, I am also a beginner in CTF, and I want beginners to come into contact with me this time, so I am trying to solve a simple problem. Even if you can't master everything, you may be able to demonstrate your strength in team battles, so if you have an area of interest, please try it yourself.

# Before practicing CTF

In Japan, [law](https://ja.wikipedia.org/wiki/%E4%B8%8D%E6%AD%A3%E3%82%A2%E3%82%AF%] E3% 82% BB% E3% 82% B9% E8% A1% 8C% E7% 82% BA% E3% 81% AE% E7% A6% 81% E6% AD% A2% E7% AD% 89% E3% You may be punished by 81% AB% E9% 96% A2% E3% 81% 99% E3% 82% 8B% E6% B3% 95% E5% BE% 8B). Unauthorized access refers to the act of an unauthorized access by a person who originally does not have access authority to attack the system. Please be aware that if you access the world indiscriminately, you will be caught in the law.

pwn Originally, pwn is a slang derived from the typo of "own", and it is sometimes called "pwnable". pwn is a genre that exploits program vulnerabilities to find flags.

### Stack buffer overflow

This article describes how to solve the simplest stack buffer overflow in the pwn problem.

#### `overflow.c`

``````
#include<stdio.h>
#include<stdlib.h>
#include<string.h>

void overflow(char *input){
char buf[16];
int secret = 0;
strcpy(buf, input);

if(secret == 0x45444342){
}else{
printf("Secret code is %x\n", secret);
}
}

int main(int argc, char **argv){
if(argc > 1){
overflow(argv[1]);
}
return 0;
}
``````

If the value of `secret` is` 0x45444342`, it seems that the answer is output from answer.txt. However, the value of `secret` contains` 0` and is not changed. If you try it for the time being

``````\$ ./overflow "A"
Secret code is 0
``````

The above output will be output. So how do you rewrite the value of `secret`? Use stack buffer overflow here. Buffer overflow is the rewriting of data that exceeds the memory area reserved in advance. In this case, if ʻinput` is larger than` buf`, the excess memory will be rewritten. For example

``````\$ ./overflow "AAAAAAAAAAAAAAAA" #16 A
Secret code is 0
\$ ./overflow "AAAAAAAAAAAAAAAAA" #17 A
Secret code is 41
``````

When 16 A's are passed, the value of `secret` has not changed, but when 17 A's are passed, a buffer overflow occurs and the value of` secret` is rewritten to 41. Where 41 is the ASCII code value for ʻA`. In other words, values of 16 bytes or less are stored in `buf`, and values of 17 bytes or more cause overflow and` secret`is rewritten. Now, the value of`secret` should be` 0x45444342`, and if you are familiar with it, you may notice that the ASCII code of `B` is 42, the ASCII code of` C` is 43, and so on. If you enter while paying attention to the address storage method called endian,

``````\$ ./overflow "AAAAAAAAAAAAAAAABCDE"
ctf{It's overflow.}
``````

I was able to extract the flag. At first, pwn may seem difficult, but as you get used to it, you can take the shell and feel like a hacker (?), So I think there is an element of replay.

Crypto Crypto means cryptography, and as the name suggests, questions related to cryptography are asked. If you are familiar with it, there is a Caesar cipher. I would like to solve the problem while explaining below.

Caesar Suppose you have the following ciphertext: `synt_jrypbzr_gb_pgs` This is the original plaintext encrypted using the Caesar cipher. Caesar cipher is a method of generating ciphertext by shifting plaintext by n characters in alphabetical order. Generally, `n = 13`, so this time it is shifted by 13 characters. In other words, the ordinary alphabet `ABCDEFGHIJKLMNOPQRSTUVWXYZ` On the other hand, if you use Caesar cipher `NOPQRSTUVWXYZABCDEFGHIJKLM` It means that. Therefore, you can get the answer by reverting the given characters to 13 characters. For the time being, the code that can be restored to 13 characters is described below (it is very suitable, but ...).

#### `Caesar.py`

``````

crypto = 'synt_jrypbzr_gb_pgs'
caesar = 13
plain = ''

for char in list(crypto):
ASCII = ord(char)
if char != '_':
num = ASCII - 97
num = (num - caesar) % 26
ASCII = num + 97
plain += chr(ASCII)

print(plain)
``````

The result was `flag_welcome_to_ctf`. It looks like that.

Reversing Also known as binary parsing. Binary refers to the format represented by "0" and "1" so that the computer can recognize it. Since we cannot read what is represented only by 0s and 1s, there is a method called disassembly, which translates into a language that is more human-friendly. You can use it to analyze computer behavior and get flags by making inputs that meet the criteria. In general, Reversing seems to gain some power when pwn becomes possible. I will study for a moment.

Web There are various types of Web problems, such as SQL injection, which is a problem of logging in by making a slight twist in the input form of a Web page, and RCE (Remote Code Execution), which is a problem of executing code remotely. There is a problem like getting the flag.

### SQL injection

Here, I will solve the problem using SQL injection. I would like to quote the problem from ksnctf, a site where you can practice CTF. Here, we will solve only the introductory part of the problem Login. When I move to the page, it says that I should log in as admin. Normally, you wouldn't know the password for admin, but if this site has a vulnerability called SQL injection, you can log in without knowing the password. Let's talk a little bit about SQL injection. For example, this SQL statement `SELECT * FROM user WHERE id='\$id' AND pass='\$pass'` Suppose it was. At this time, enter `\$ id` and` \$ pass`, but if you enter ʻadmin` in` \$ id`and`'or 1 = 1 --` in` \$ pass`, the admin user information Can be extracted. Applying it to the above SQL statement, `SELECT * FROM user WHERE id='admin' AND pass=' ' or 1=1 --'` It is that. I would like you to pay attention to the`pass` part, but the pass character string is determined by using whitespace characters and quotation marks`'`. This conditional expression itself doesn't make much sense. The reason is that the latter `1 = 1`is all true. And by using`pass ='''or 1 = 1` and the logical operator ʻor`, everything is true even if` pass` does not match the password of ʻadmin`. The final `--` means commented out, assuming that there were no subsequent SQL statements. Then, when I try to fill in the input form as above ... Moves to the next screen. The problem itself will continue for the time being, but this time I will leave it here. For more information, please refer to this article. By the way, You can still log in. Think about the reason.

Network There are two main types of network problems in CTF. The first is the problem of parsing a file that contains what is called a packet, which flows during network communication. The file that contains the packet is called a pcap file, and the flag is acquired by parsing it. The other is the problem of accessing the server and getting the flag. It accesses the server based on the IP address and packet given in advance and acquires the flag. This time I would like to introduce the first problem of packet analysis.

### Packet analysis

This time we will analyze the pcap file used in CTF for Beginners 2015. Problem file is here. First, the packet is analyzed using software called Wireshark. Wireshark is software that can analyze packets, and it records the contents such as when, who communicated with what protocol. The installation method of Wireshark is omitted here. After installing Wireshark, open the pcap file with Wireshark. When you open it, you will see the following state. You should see a list of packets, detailed information about the packet, and the binary data in the packet. I'm looking for a suspicious place from here, but if you look at the protocol, you can see that a file transfer protocol called FTP is used. Actually, the title of this problem is "File Transfer Protocol", so it seems like you should look there as a hint. Since we decided to focus on FTP, let's filter other than FTP communication for the time being. Now, as shown in the image below, enter "ftp or ftp-data" in the "Apply display filter" section of the window and press the Enter key. Then, only the communication used for FTP communication will be output to the screen. Although not explained in detail, "ftp" represents control communication for actual FTP communication, and "ftp-data" represents data communication.

Next, look at the column called Info on the far right of the packet list. It may be difficult to read all of this, but after logging in to the FTP server, send a request "Please give me the data of 1.txt, 2.zip and 3.txt" and transfer the data to it. You can see that it is. Therefore, if you look at the contents of 1.txt, 2.zip, and 3.txt, you can guess that the answer or hint is written. It's easy to read the contents of 1.txt and 3.txt. There is "Line-based text data (1 lines)" in the packet details. When I open this ... Something like a flag came out. In 1.txt, it was described as "ctf4b {This_communication_is", and in 3.txt, it was described as "\ _encrypted.}" (Please check 3.txt by yourself). Finally, let's check 2.zip. However, the contents are not described in 2.zip. So let's download this zip file locally. 2. Right-click the FTP-DATA containing the zip and click "Tracking-> TCP Stream". This is a function that displays only the communication content (TCP session in this case) related to the specified packet. Now try converting from ASCII format to Raw format and saving it locally, as shown in the image below. If you save the file in ASCII format, the expanded file will be in binary type. After saving, unzip the zip file and look at the contents, it says "\ _not". Therefore, the correct answer for this question is "ctf4b {This_communication_is_not_encrypted.}". Certainly it wasn't encrypted.

# Finally

How was it. The problem I posted in this article was rather easy, so I think that even new employees who joined the company from this year could understand it to some extent. There are many more difficult problems in the world, and if you can solve those problems, you may catch the eye of a great man. I hope the barriers to the contest can be lowered as much as possible. For the time being, the sites that can solve CTF problems and the references that can be used as reference are listed below.

### reference

Also, there are explanations called write ups scattered on the net, so I think it will be helpful to take a look at them. I think we will hold a contest again this year, so I would like to participate as well. Why don't you join us?

Recommended Posts