corCTF_2024

Team: H4aG4au, Ranked: 40, Pts: 1002

forensics

the-conspiracy

题面

Author: jammy, Solved: 283, Pts: 109

Our intelligence team created a chat app, and secretly distributed it to the lemonthinker gang. We’ve given you the application source and a capture taken by one of our agents - can you uncover their plans?

题解

按照source.py中的encrypt方法写出对应的decrypt方法

1
2
3
4
5
6
7
8
9
10
def decrypt(finalmessage, keys):
    messagenums = []
    for i in range(len(finalmessage)):
        messagenums.append(finalmessage[i] / keys[i])

    message = ""
    for i in range(len(messagenums)):
        message += chr(int(messagenums[i]))

    return message

遍历数据包解密。

1
2
3
4
5
6
packets = rdpcap("challenge.pcap")

for i in range(6, len(packets) - 1, 2):
    message = str(packets[i].load).replace("b'[", "").replace("]'", "").split(", ")
    keys = str(packets[i + 1].load).replace("b'[", "").replace("]'", "").split(", ")
    print(decrypt(list(map(int, message)), list(map(int, keys))))
1
2
3
4
5
6
7
8
9
10
11
12
13
14
from scapy.all import *
def decrypt(finalmessage, keys):
    messagenums = []
    for i in range(len(finalmessage)):
        messagenums.append(finalmessage[i] / keys[i])
    message = ""
    for i in range(len(messagenums)):
        message += chr(int(messagenums[i]))
    return message
packets = rdpcap("challenge.pcap")
for i in range(6, len(packets) - 1, 2):
    message = str(packets[i].load).replace("b'[", "").replace("]'", "").split(", ")
    keys = str(packets[i + 1].load).replace("b'[", "").replace("]'", "").split(", ")
    print(decrypt(list(map(int, message)), list(map(int, keys))))

hello blinkoid
hello night
how do we eliminate the msfroggers
idk i’ll ask slice1
how do we eliminate the msfroggers
we can send them to the skibidi toilet
or we can deprive them of their fanum tax
slice1 is being useless
what’s new
blinkoid? message back :(
oh errr… this sounds great! any more ideas
we could co-conspire with the afs
and get them to infiltrate the msfroggers
that way team lemonthink reins supreme
your a genius!
alright night
i have my own idea
let’s hear it
so yk about the afs
if we send our secret code over to them
they can use it to infiltrate the afs
what’s our code again?
i think it’s corctf{b@53d_af_f0r_th3_w1n}
hey night did you hear my idea
you had an idea? blinkoid just told me you were being useless
what the sigma

infiltration

题面

Author: jammy, Solved: 164, Pts: 116

After successfully infiltrating the lemonthinker gang, we’ve obtained their current location - the UK. We’ve attained some security logs from a gang member’s PC, but need some help in answering information relating to these.
nc be.ax 32222

题解

根据交互信息提示,找到对应的字段:

Hello agent. Thanks for your hard work in the field researching. We’ll now ask you 6 questions on the information you’ve gathered.
I’d like to take this opportunity to remind you that our targets are located in the United Kingdom, so their timezone is BST (UTC +1).
We’d like to confirm what the username of the main user on the target’s computer is. Can you provide this information? slice1
Now, we’d like the name of the computer, after it was renamed. Ensure that it is entered in exactly how it is in the logs.
I wonder if they’ll make any lemonade with that lemon-squeezer…
Great work! In order to prevent their lemons from moulding, the lemonthinkers changed the maximum password age. What is this value? Please enter it as an integer number in days.
It seems that our targets are incredibly smart, and turned off the antivirus. At what time did this happen? Give your answer as a UNIX timestamp.
The main lemonthinker, slice1, hasn’t learnt from the-conspiracy and has (again) downloaded some malware on the system. What is the name of the user created by this malware?
Finally, we’d like to know the name of the privilege level of the user created by the malware. What is this?

  1. 主机用户名:查看登录事件,尝试得slice1
  2. 变更后主机名:事件中包含多台计算机名,尝试后得lemon-squeezer
  3. 更改最大密码时限:筛选事件4739,找到时间为83天。
  4. 关闭Windows defender:搜索defender,筛选事件4699,从已删除计划任务事件得到具体时间。
  5. 创建新用户:筛选事件4720,得到病毒创建的用户为notabackdoor
  6. 创建新特权等级:事件4732,得到病毒创建的特权等级为Administrators

Misc

lights-out

题面

Author: plastic, Solved: 155, Pts: 117

You know the game. Solve the board quickly before a new one is generated.

题解

源码中已经给出了线性代数解的代码,直接调用即可。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
def create_vector_representations(n: int) -> list[list[int]]:
    vectors = []
    for i in range(n * n):
        vector = [0] * (n * n)
        vector[i] = 1
        if i % n != 0:
            vector[i - 1] = 1  # 左
        if i % n != n - 1:
            vector[i + 1] = 1  # 右
        if i >= n:
            vector[i - n] = 1  # 上
        if i < n * (n - 1):
            vector[i + n] = 1  # 下
        vectors.append(vector)
    return vectors


def gauss_jordan_elimination(matrix: list[list[int]]) -> list[list[int]]:
    rows, cols = len(matrix), len(matrix[0])
    r = 0
    for c in range(cols - 1):
        if r >= rows:
            break
        pivot = None
        for i in range(r, rows):
            if matrix[i][c] == 1:
                pivot = i
                break
        if pivot is None:
            continue
        if r != pivot:
            matrix[r], matrix[pivot] = matrix[pivot], matrix[r]
        for i in range(rows):
            if i != r and matrix[i][c] == 1:
                for j in range(cols):
                    matrix[i][j] ^= matrix[r][j]
        r += 1
    return matrix


def create_augmented_matrix(
    vectors: list[list[int]], board: list[int]
) -> list[list[int]]:
    matrix = [vec + [board[i]] for i, vec in enumerate(vectors)]
    return matrix


def is_solvable(matrix: list[list[int]]) -> bool:
    rref = gauss_jordan_elimination(matrix)
    for row in rref:
        if row[-1] == 1 and all(val == 0 for val in row[:-1]):
            return False
    return True


def get_solution(board: list[int], n: int) -> list[int] | None:
    vectors = create_vector_representations(n)
    matrix = create_augmented_matrix(vectors, board)
    if not is_solvable(matrix):
        return None
    rref_matrix = gauss_jordan_elimination(matrix)
    return [row[-1] for row in rref_matrix[: n * n]]


# 导入netcat
from pwn import remote

# 连接到远程服务器
# nc be.ax 32421
r = remote("be.ax", 32421)
# 等待,直至出现"Your Solution:"提示
r.recvuntil("Lights Out Board:".encode("ascii"))
# 读取输出
data = r.recv().decode()
data = (
    data.replace("\n\n\n\n", "").replace("\n\n\n", "").replace("Your Solution: \n", "")
)
print(data)
# 计算
n = len(data.split("\n")[0])
board = [1 if c == "#" else 0 for c in data.replace("\n", "")]
solution = "".join("#" if x == 1 else "." for x in get_solution(board, n))
# 发送解决方案
r.send((solution + "\n").encode("ascii"))
print(solution)
# 输出结果
try:
    print(r.recv().decode())
except EOFError:
    print("Error: Failed to receive data from the remote server.")
# 关闭连接
r.close()

touch grass 2

Author: strellic, BrownieInMotion, FizzBuzz101, Solved: 60, Pts: 151

题解

一道鼓励你亲近大自然的题,前端伪造定位即可。

ctfwp
#ctf #wp #CORCTF
corCTF_2024
http://xciphand.github.io/2024/07/29/corCTF-2024/
作者
xciphand
发布于
2024年7月29日
许可协议