I participated in Fireshell CTF as a member of team insecure with ptr-yudai, yoshiking, thrust2799. We got 16th place at the end of the CTF. I solved some challenges: babycryptoweb, biggars, and Blackbox-0.
Thanks, admins for this great CTF!
[Misc] babycryptoweb
We are given a simple PHP source code shown below. We can set parameters p
and b
and can replace one byte of $code
. Considering the number of all combinations is 256 * count($code)
, which is so small, we can brute force all patterns.
<?php $code = '$kkk=5;$s="e1iwZaNolJeuqWiUp6pmo2iZlKKulJqjmKeupalmnmWjVrI=";$s=base64_decode($s);$res="";for($i=0,$j=strlen($s);$i<$j;$i++){$ch=substr($s,$i,1);$kch=substr($kkk,($i%strlen($kkk))-1,1);$ch=chr(ord($ch)+ord($kch));$res.=$ch;};echo $res;'; if (isset($_GET['p']) && isset($_GET['b']) && strlen($_GET['b']) === 1 && is_numeric($_GET['p']) && (int) $_GET['p'] < strlen($code)) { $p = (int) $_GET['p']; $code[$p] = $_GET['b']; eval($code); } else { show_source(__FILE__); } ?>
Because the generated $code
may be an invalid PHP source code, be careful of handling the errors. Below is the script I wrote.
#!/bin/bash for p in $(seq 235); do echo $p; for b in $(seq 256); do php hoge.php $p $b 2>/dev/null done done echo did
<?php $code = '$kkk=5;$s="e1iwZaNolJeuqWiUp6pmo2iZlKKulJqjmKeupalmnmWjVrI=";$s=base64_decode($s);$res="";for($i=0,$j=strlen($s);$i<$j;$i++){$ch=substr($s,$i,1);$kch=substr($kkk,($i%strlen($kkk))-1,1);$ch=chr(ord($ch)+ord($kch));$res.=$ch;};echo $res;'; $p = (int)$argv[1]; $code[$p] = chr((int)$argv[2]); eval($code);
...And by eye-grepping the outputs we got the flag F#{0n3_byt3_ru1n3d_my_encrypt1i0n!}
. The correct parameters $p
and $b
are 5
and 203
respectively.
[Crypto] biggars
This is an RSA challenge with e, C, N known. ptr-yudai told me that N can be divided by many prime factors. I googled some keywords like "multi-prime RSA", then found this writeup of past CTF challenge. The solver could be applied to this challenge. Waiting for the output, I got the flag: F#{b1g_m0d_1s_unbr34k4bl3_4m_1_r1gh7?}
import gmpy from keys import * divisors = [[3, 1545], [7, 1626], [11, 1569], [13, 1552], [17, 1519], [19, 1673], [23, 1498], [29, 1667], [31, 1604], [37, 1542], [41, 1622], [43, 1525], [53, 1606], [59, 1531], [61, 1484], [67, 1631], [71, 1596], [73, 1495], [79, 1656], [83, 1658], [89, 1581], [97, 1592], [101, 1656], [103, 1487], [107, 1488], [109, 1577], [113, 1500], [127, 1514], [131, 1660], [137, 1610], [139, 1677], [149, 1637], [151, 1596], [157, 1656], [163, 1534], [167, 1627], [173, 1580], [179, 1646], [181, 1511], [191, 1651], [193, 1591], [197, 1562], [199, 1661], [211, 1539], [223, 1620], [227, 1492], [229, 1665], [233, 1654], [239, 1679], [241, 1620], [251, 1566], [257, 1622], [263, 1677], [269, 1551], [271, 1563], [277, 1507]] # https://en.wikipedia.org/wiki/Euler%27s_totient_function n_ary = [] a_ary = [] for p, k in divisors: pk = p ** k phi = pk * (p-1)/p d = gmpy.invert(e, phi) mk = pow(c, d, pk) n_ary.append(pk) a_ary.append(mk) # http://rosettacode.org/wiki/Chinese_remainder_theorem#Python def chinese_remainder(n, a): sum = 0 prod = reduce(lambda a, b: a*b, n) for n_i, a_i in zip(n, a): p = prod / n_i sum += a_i * gmpy.invert(p, n_i) * p return sum % prod m = chinese_remainder(n_ary, a_ary) m = "%x" % m print m.decode('hex')
[Reversing] Blackbox-0
This was very difficult for me, so I can't believe this challenge was solved by many players.
We are given a .NET PE32 binary which is obfuscated. I tried to deobfuscate it by de4dot and to follow its process, however, the binary was still very complex after the deobfuscation. Since ptr-yudai taught me the tool "process monitor" which can capture the system calls, I observed the events created by the program. Then I found WriteFile
to %AppData%\Roaminig\.flag
, but the program just wrote Just kidding, this is'nt the flag. But keep going =)
. Also, I grepped a curious string which write the arguments into takoyaki.txt
. C:\Users\Administrator\Desktop\blackbox\base64.exe
. After some trials, I found that this program used the base64.exe
. So I made a dummy exe and executed the program again. Eventually, I found the arguments in takoyaki.txt
: -D
and RiN7TmljZV9hbmFsaXN5c19icm9fPV1ffQ==
. Decoding this base64, I got the flag F#{Nice_analisys_bro_=]_}
.
#inclue <stdio.h> int main(int argc, char**argv) { int i; FILE *fp = fopen("takoyaki.txt", "w"); for (i = 1; i < argc; i++) { fprintf(fp, "%s\n", argv[i]); } fclose(fp); return 0; }