Introduction

Nice to meet you, I'm Yuyu Yuta. I'm a hard-working student who has no interest in live coding music, vvvv and game development. So far, he has worked on game development, CTF, live coding, and competitive programming.

In this ad-care, I wanted to talk about the game I made earlier, but since the amount was going to be too huge, I changed the content in a hurry today, called Time Attack and did CTF with Cpaw and they The content is to write WriteUp.

(~~ No, Cpaw's WriteUp is too fulfilling, and the nth decoction is already good ~~) I hope this article can lower your threshold for CTF. I especially want the members to see it.

What is CTF?

CTF is one of the security contests called Capture the flag, and is a contest to compete for IT technology and knowledge. There are 11 genres each, which are classified as follows. I won't give you a detailed explanation, but I'll leave only the keywords, so if you're curious, please google.

Crypto Web (makes website vulnerabilities bumpy) Reversing (file analysis) Pwn (Vulnerability Attack) Forensic (search for hidden data) Network (packet analysis / authentication breakthrough) PPC (like competitive programming) Steganography (analysis of image / audio data) Recon (net stalker) Trivia (trivia) Misc (Other) (This is all the problems that cannot be classified into the above genres)

CTF site targeted this time

This time, I would like to solve the problem provided by CpawCTF. There are many types of problems that are fun to solve for beginners, so it is recommended that you try the problem once without looking at this WriteUp.

Execution environment

OS:Windows10 It is assumed that all programs are running in a WSL environment. In addition, we will assume that the general Linux commands have been installed and are in the path.

(For WSL setup, see here](https://qiita.com/Aruneko/items/c79810b0b015bebf30bb))

(Addition: About CTF using MacOS) Although it is MacOS, there are cases where ELF files cannot be executed or some tools cannot be used, so I think that problems will not occur if the above environment is prepared as much as possible. If you really want to do it on MacOS, please do it with a Linux virtual environment built using VMWare or VirtualBox. However, this is also not recommended as some commands and shortcut keys may not be available depending on the environment.

Before entering WriteUp

Please read the following sites. (To shorten the solution)

Linux command list

WriteUp

Level1

Q1.[Misc] Test Problem Please solve this as expected. Please. The explanation is also omitted. However, I've been rejected several times by copypemis or something, so maybe I should do it by hand.

Q6.[Crypto] Classical Cipher This is a typical Caesar cipher. The Caesar cipher is one of the single substitution ciphers that shifts the plaintext alphabet by several characters to make different sentences. But alas, this Caesar cipher is nothing more than a classical cipher, a small fish for us modern people. In addition, as soon as I searched Google for "Caesar cipher conversion" in the present age, a Web tool for decrypting the Caesar cipher (restoring the encrypted text) came out. Something like this Let's copy and paste the encrypted sentence to this site and convert it. Now you can get the flag. (Be careful whether it is uppercase or lowercase) コメント 2019-12-17 222153.png

Q7.[Reversing] Can you execute ? Download the file without the extension. Normally, any file has an extension (indicating what kind of file it is) such as "txt" or "exe", but this file does not have it. So when I try to find out what this file looks like using the Linux command "file",

 file exec_me
exec_me: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l,
for GNU/Linux 2.6.24, BuildID[sha1]=663a3e0e5a079fddd0de92474688cd6812d3b550, not stripped

Well, you can see that this file seems to be an ELF file. Since the ELF file is an executable file that mainly runs in the Linux environment, it works as it is on WSL. So you can get the flag by executing the following command.

./exec_me

Q8: [Misc] Can you open this file ? If you use the file command as in the previous problem,

file open_me
open_me: Composite Document File V2 Document, 
Little Endian, Os: Windows, Version 10.0, Code page: 932, Author: v, Template: Normal.dotm, 
Last Saved By: v, Revision Number: 1, Name of Creating Application: Microsoft Office Word, 
Total Editing Time: 28:00, Create Time/Date: Mon Oct 12 04:27:00 2015,
Last Saved Time/Date: Mon Oct 12 04:55:00 2015,
Number of Pages: 1, Number of Words: 3, Number of Characters: 23, Security: 0

The word "Document" appears to indicate that this file is a document file. This time, in order to let Word read it, you can get the flag by opening this file in Word with the extension "doc" which is the default of Word. コメント 2019-12-17 225622.png

(Addition) Why set the extension The extension has the purpose of clearly showing "what format the file follows", but it also has another role of "making it recognizable by the application". In fact, even if it is a document file, it is often not recognized as a document file without an extension such as ".doc". A good example is that if you change the extension of the audio file, you will not be able to hear the sound. Forcibly reading this may result in data loss or cause errors, and may become a hotbed of various problems. (This can cause the answer to enter a labyrinth ...) To solve these problems, try to avoid creating files with no extension unless they are binary files.

Q9.[Web] HTML Page

Now it's a matter of getting the flag from the web page. When solving web problems, don't forget to press F12 on your keyboard to bring up the developer tools, and try to browse the page from corner to corner. コメント 2019-12-17 230546.png

By the way, if you adhere to the above two attitudes,

Do you read description of this page?

Somehow a clearly suspicious sentence came out. If you look up the word "description" in English, you can see that it is text information that gives an overview (summary) of the Web page, which is written in the html file. So, if you search all over the html source in the Elements tab of the developer tool that you opened earlier, the flag is written somewhere. Now you can get the flag.

Q10.[Forensics] River It seems that various metadata such as Exif information is stuck to the passed image. So, if you throw this jpg to this site, it will look like this.

コメント 2019-12-17 231806.png

Read the name of the river from the map and get the flag. No, the progress of civilization is really scary. Please be careful about the metadata of your photos.

Q11.[Network]pcap This time is a network packet analysis problem. So let's [install] WireShark (https://2.na.dl.wireshark.org/win64/Wireshark-win64-3.0.7.exe), the tiger cub of packet analysis. The story begins from there.

By the way, if you open the downloaded file with wireshark, you will see a screen like this. コメント 2019-12-17 233219.png

As you can see, the flag is out. Japan will end if such data is exchanged in plain text.

Q12.[Crypto]HashHashHash! This time, we will break the code devised by NSA such as SHA1. It may seem difficult at first glance, but if you really google it, it's pretty good. So let's search for the ciphertext in question as it is. Then you can easily get the flag at a surprising level. (This is only possible with [Rainbow Table](https://ja.wikipedia.org/wiki/%E3%83%AC%E3%82%A4%E3%83%B3%E3%83%9C % E3% 83% BC% E3% 83% 86% E3% 83% BC% E3% 83% 96% E3% 83% AB) Thanks to the technique. Rainbow table hurray.)

Q14. [PPC] Sort!

Suddenly something like competitive programming came. Well, this is what I write code for. let's write. First, mold the data like this,

15
1
93
52
66
31
87
0
42
77
46
24
99
10
19
(abridgement)

Read it as a text file, write the code quickly, and you're done. Now you can get the flag.

`sort.c`


#include<stdio.h>
#include<stdlib.h>

int main(){
    FILE *fp;
    int i, j,n=0, tmp;
    int array[100];
    char filename[] = "test.txt";
    char str[100];

    fp = fopen(filename,"r");
    if(fp == NULL) {
		printf("%s file not open!\n", filename);
		return -1;
	}

    while(fgets(str,100, fp) != NULL){
        array[n] = atoi(str);
        n++;
    }

    fclose(fp); 

   for (i=0; i<n; ++i) {
        for (j=i+1; j<n; ++j) {
            if (array[i] < array[j]) {
                tmp =  array[i];
                array[i] = array[j];
                array[j] = tmp;
            }
        }
      }
 
      for (i=0; i<n; ++i){
        printf("%d", array[i]);
    }

    return 0;
}

Level2

Q13. [Stego] Hidden flags

If you look at the distributed images, you can see that the dots are drawn. It's a Morse code by all means, so I'll translate it to get the flag. However, only for this problem, the output may differ slightly from site to site. I will post some translation sites, so if the desired flag is not output, please try various things. https://l08084.github.io/morse-code-translate-website/ http://www.inv.co.jp/~ike/mores-chg.html https://morsecode.doratool.com/

Q15.[Web] Redirect If the fc2 site disappears, a page like "Return to home in n seconds" may appear. That's exactly the redirect. If you start the developer tools and press the link in the same way as the web problem above, you will find that it does not jump to the specified page. Therefore, change the items displayed in the developer tools from elements to network. コメント 2019-12-18 001130.png

Then, you can see that the information of the original page that could not be viewed due to some kind of program being bad is displayed. You can get the flag by double-clicking on this data.

Q16.[Network+Forensic]HTTP Traffic I am doing packet analysis as usual, but if you take a look at the contents of the packet, you can see that a lot of data is hidden in the packet. Comment 2019-12-18 001538.png

Therefore, let's export these data together by selecting [File] → [Export Object] → [HTML]. コメント 2019-12-18 001608.png

Create a folder, divide the js and css files into folders like this, and add the extension properly to the html file without the extension. (It is absolutely necessary for the browser application to recognize it as an html page.)

コメント 2019-12-18 001839.png

When you open the html file, a button will appear, so you can get the flag by pressing that button.

Q17.[Recon]Who am I ? It's a net stalking problem. You can get the flag by searching for the Twitter ID and the name of the game that is often played. Let's not show the game ID etc. easily.

Q18.[Forensic]leaf in forest

When I open this file as a text file,

コメント 2019-12-18 002839.png

Something that seems to come out in a dream has come out. I'm scared, so if you keep replacing the string "love live!" With a single character, you can get the flag naturally.

Q19.[Misc]Image! This time, a zip file will be passed, so let's unzip it.

コメント 2019-12-18 004334.png

I thought, I would browse from the beginning, but I didn't get much information. However, when I browse the image file that was only one, I see an image like this.

I wondered if there was data somewhere, and as a result of browsing various files, when I browsed meta.xml,

<?xml version="1.0" encoding="UTF-8"?>
<office:document-meta xmlns:office="urn:oasis:names:tc:opendocument:xmlns:office:1.0" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:meta="urn:oasis:names:tc:opendocument:xmlns:meta:1.0" xmlns:presentation="urn:oasis:names:tc:opendocument:xmlns:presentation:1.0" xmlns:ooo="http://openoffice.org/2004/office" xmlns:smil="urn:oasis:names:tc:opendocument:xmlns:smil-compatible:1.0" xmlns:anim="urn:oasis:names:tc:opendocument:xmlns:animation:1.0" xmlns:grddl="http://www.w3.org/2003/g/data-view#" xmlns:officeooo="http://openoffice.org/2009/office" office:version="1.2"><office:meta><meta:creation-date>2015-10-16T09:50:35.362650845</meta:creation-date><dc:date>2015-10-16T10:06:25.173018557</dc:date><meta:editing-duration>PT1M11S</meta:editing-duration><meta:editing-cycles>4</meta:editing-cycles><meta:generator>LibreOffice/4.2.8.2$Linux_X86_64 LibreOffice_project/420m0$Build-2</meta:generator><meta:document-statistic meta:object-count="17"/></office:meta></office:document-meta>

Focusing on OpenDocument in this, it seems that OpenDocument is a file compressed in zip format. Since it is a document, I was able to get the flag by opening the zip folder with word. Without prior knowledge, it takes a lot of inspiration.

Q20.[Crypto]Block Cipher Since the c source file is passed, the problem is to read the source and get the flag.

`crypto100.c`


#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int main(int argc, char* argv[]){
  int i = 0;
  int j = 0;
  int key = atoi(argv[2]);
  const char* flag = argv[1];
  printf("cpaw{");
  for(i = key - 1; i <= strlen(flag); i+=key){
     for(j = i; j>= i - key + 1; j--){
        printf("%c", flag[j]);
     }
  }
  printf("}");
  return 0;
}

You can get the flag by putting the sentence before decryption and how many characters to shift in the command line argument and executing it. In my case, I didn't understand the command line argument specifications well, so I was only causing core dumps. Reflection.

Q21.[Reversing]reversing easy! This time I solved the problem using a reverse assembly called IDA. Install IDA

When I open the binary file in question with IDA, I get a screen like this. コメント 2019-12-18 010618.png IDA is a really high-performance software, and although it is free, it displays what kind of function is called at what timing in an easy-to-understand manner.

There are tabs in addition to the text view, so let's browse through them. Then when I switched to the Hex-view (binary hex dump) tab, コメント 2019-12-18 010704.png

A really good character string came out. You can get the flag by connecting it except for the symbols that may not be related to the flag. At first glance, I thought it was easy because strange characters were mixed in with the reverse assembly so that I couldn't tell which character string corresponded to it.

Q22.[Web]Baby's SQLi - Stage 1- This is a problem of SQL injection that exploits a vulnerability in a website. Apparently, if you refer to the data in the table, you can get the flag, so type the following SQL statement in the form.

SELECT * FROM palloc_home

Then, the table you are looking for will appear and you can get the flag.

If you easily decipher this SQL statement SELECT ... Get data.

... everything in the table FROM palloc_home ... from palloc_home It's like that. SQL can be used at unexpected times, so it's a good idea to remember even simple instructions.

Q28.[Network] Can you login？ Looking at the packet with Wireshark![Comment 2019-12-18 013520.png](https://qiita-image-store.s3.ap-northeast-1.amazonaws.com/0/338549/6fdd979b- d652-cbe8-8210-aacc1f1301a4.png "(Akan)") You can see that you can see the credentials that should not be clearly visible. This is because the FTP protocol itself does not encrypt the user name / password for authentication and transfer data, but exchanges them in plain text. The world ends when this protocol is used on a daily basis when sending critically sensitive data. It is a protocol that is clearly not suitable for the present age. (Of course, FTP is still used for limited purposes.)

Since ip is also completely visible, this time we will use FileZilla to get the file. Install FileZilla Please install FileZilla for Client.

Use FileZilla to connect to the FTP server using the information above. (This is why you should download the Client) Also, before connecting, make settings to forcibly display hidden files. (Because CTF may contain important information in hidden files) The setting can be easily done by selecting [Server] → [Forced display of hidden files]. コメント 2019-12-18 014527.png

If the connection is successful, download the .hidden_flag_file from the FTP server and browse with the strings command or a text editor to get the flag. Of course, you can also connect and download files by typing the command in the terminal as shown below.

$ ftp
ftp> open
(to) 157.7.52.186
Connected to 157.7.52.186.
220 Welcome to Cpaw CTF FTP service.
Name (157.7.52.186:user): cpaw_user
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -l
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r--    1 ftp      ftp            36 Sep 01  2017 dummy
226 Directory send OK.
ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    2 ftp      ftp            42 Jun 18  2019 .
drwxr-xr-x    2 ftp      ftp            42 Jun 18  2019 ..
-rw-r--r--    1 ftp      ftp            39 Sep 01  2017 .hidden_flag_file
-rw-r--r--    1 ftp      ftp            36 Sep 01  2017 dummy
226 Directory send OK.
ftp> get .hidden_flag_file
local: .hidden_flag_file remote: .hidden_flag_file
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for .hidden_flag_file (39 bytes).
226 Transfer complete.
39 bytes received in 0.00 secs (8.2742 kB/s)

At the end

Thank you for browsing so far. If you find something difficult to understand, please let us know in the comments.

Well, if you've seen WriteUp so far, you'll know that with a little inspiration, anyone can solve these problems. I'm not doing anything so specialized. (I want to believe that) If you think so, please try to solve this problem yourself right now. I think you can make different discoveries by solving it yourself.

This time, I posted only WriteUp up to Level2, but if I have a chance, I will try WriteUp of Level3 and post WriteUp. See you in the next article.

Writer: Yuyu Yuta Twitter Hatebu

[LINUX] I tried to summarize Cpaw Level1 & Level2 Write Up in an easy-to-understand manner