I participated in Fireshell CTF as a member of team insecure with ptr-yudai, yoshiking, thrust2799. We got 16th place at the end of the CTF. I solved some challenges: babycryptoweb, biggars, and Blackbox-0.

Thanks, admins for this great CTF!

[Misc] babycryptoweb

We are given a simple PHP source code shown below. We can set parameters p and b and can replace one byte of $code. Considering the number of all combinations is 256 * count($code), which is so small, we can brute force all patterns.

<?php

$code = '$kkk=5;$s="e1iwZaNolJeuqWiUp6pmo2iZlKKulJqjmKeupalmnmWjVrI=";$s=base64_decode($s);$res="";for($i=0,$j=strlen($s);$i<$j;$i++){$ch=substr($s,$i,1);$kch=substr($kkk,($i%strlen($kkk))-1,1);$ch=chr(ord($ch)+ord($kch));$res.=$ch;};echo $res;';
    
if (isset($_GET['p']) && isset($_GET['b']) && strlen($_GET['b']) === 1 && is_numeric($_GET['p']) && (int) $_GET['p'] < strlen($code)) {
    $p = (int) $_GET['p'];
    $code[$p] = $_GET['b'];
    eval($code);
} else {
    show_source(__FILE__);
}

?>    

Because the generated $code may be an invalid PHP source code, be careful of handling the errors. Below is the script I wrote.

#!/bin/bash

for p in $(seq 235); do
        echo $p;
        for b in $(seq 256); do
                php hoge.php $p $b  2>/dev/null
        done
done

echo did

<?php

$code = '$kkk=5;$s="e1iwZaNolJeuqWiUp6pmo2iZlKKulJqjmKeupalmnmWjVrI=";$s=base64_decode($s);$res="";for($i=0,$j=strlen($s);$i<$j;$i++){$ch=substr($s,$i,1);$kch=substr($kkk,($i%strlen($kkk))-1,1);$ch=chr(ord($ch)+ord($kch));$res.=$ch;};echo $res;';

$p = (int)$argv[1];
$code[$p] = chr((int)$argv[2]);
eval($code);

...And by eye-grepping the outputs we got the flag F#{0n3_byt3_ru1n3d_my_encrypt1i0n!}. The correct parameters $p and $b are 5 and 203 respectively.

[Crypto] biggars

This is an RSA challenge with e, C, N known. ptr-yudai told me that N can be divided by many prime factors. I googled some keywords like "multi-prime RSA", then found this writeup of past CTF challenge. The solver could be applied to this challenge. Waiting for the output, I got the flag: F#{b1g_m0d_1s_unbr34k4bl3_4m_1_r1gh7?}

import gmpy
from keys import *

divisors = [[3, 1545], [7, 1626], [11, 1569], [13, 1552], [17, 1519], [19, 1673], [23, 1498], [29, 1667], [31, 1604], [37, 1542], [41, 1622], [43, 1525], [53, 1606], [59, 1531], [61, 1484], [67, 1631], [71, 1596], [73, 1495], [79, 1656], [83, 1658], [89, 1581], [97, 1592], [101, 1656], [103, 1487], [107, 1488], [109, 1577], [113, 1500], [127, 1514], [131, 1660], [137, 1610], [139, 1677], [149, 1637], [151, 1596], [157, 1656], [163, 1534], [167, 1627], [173, 1580], [179, 1646], [181, 1511], [191, 1651], [193, 1591], [197, 1562], [199, 1661], [211, 1539], [223, 1620], [227, 1492], [229, 1665], [233, 1654], [239, 1679], [241, 1620], [251, 1566], [257, 1622], [263, 1677], [269, 1551], [271, 1563], [277, 1507]]

# https://en.wikipedia.org/wiki/Euler%27s_totient_function
n_ary = []
a_ary = []
for p, k in divisors:
    pk = p ** k
    phi = pk * (p-1)/p
    d = gmpy.invert(e, phi)
    mk = pow(c, d, pk)
    n_ary.append(pk)
    a_ary.append(mk)

# http://rosettacode.org/wiki/Chinese_remainder_theorem#Python
def chinese_remainder(n, a):
    sum = 0
    prod = reduce(lambda a, b: a*b, n)

    for n_i, a_i in zip(n, a):
        p = prod / n_i
        sum += a_i * gmpy.invert(p, n_i) * p
    return sum % prod

m = chinese_remainder(n_ary, a_ary)
m = "%x" % m
print m.decode('hex')

[Reversing] Blackbox-0

This was very difficult for me, so I can't believe this challenge was solved by many players.

We are given a .NET PE32 binary which is obfuscated. I tried to deobfuscate it by de4dot and to follow its process, however, the binary was still very complex after the deobfuscation. Since ptr-yudai taught me the tool "process monitor" which can capture the system calls, I observed the events created by the program. Then I found WriteFile to %AppData%\Roaminig\.flag, but the program just wrote Just kidding, this is'nt the flag. But keep going =). Also, I grepped a curious string which write the arguments into takoyaki.txt. C:\Users\Administrator\Desktop\blackbox\base64.exe. After some trials, I found that this program used the base64.exe. So I made a dummy exe and executed the program again. Eventually, I found the arguments in takoyaki.txt: -D and RiN7TmljZV9hbmFsaXN5c19icm9fPV1ffQ==. Decoding this base64, I got the flag F#{Nice_analisys_bro_=]_}.

 #inclue <stdio.h>
 
 int main(int argc, char**argv) {
    int i;
    FILE *fp = fopen("takoyaki.txt", "w");
    for (i = 1; i < argc; i++) {
        fprintf(fp, "%s\n", argv[i]);
    }
    fclose(fp);
    return 0;
 }