2016
Aug
20




https://play.icec.tf/

Stage 1

Hello World!

In this capture the flag competiton you're hunting for these strings, we call them "flags". These flags always begin with "IceCTF{" followed by a message in 1337sp34k and end with "}". Here's an example flag "IceCTF{h3l10_wr0ld}". Try submitting it through the text box down below!

第一題是教學用的,跟你說輸入 flag 的格式是 IceCTF{xxxx} ,也跟你說了這題的 flag 是 IceCTF{h3l10_wr0ld} 。

Spotlight

Someone turned out the lights and now we can't find anything. Send halp! spotlight

這題是用 JS canvas 畫一張圖,你滑鼠移到哪裡,探照燈就會照到哪,但是你在圖片上是找不到任何有用的線索,直接打開 spotlight.js 看 source code ,Search 一下 flag 就會看到答案了,原來 flag 會印在 Console log 裡面。

All your Base are belong to us

What a mess... we got a raw flag but now what do we do... flag.txt

寫一小段程式,把每一個二進位 bytes 轉成英文字即可得到 flag。

Rotated!

They went and ROTated the flag by 5 and then ROTated it by 8! The scoundrels! Anyway once they were done this was all that was left VprPGS{jnvg_bar_cyhf_1_vf_3?}

用 ROT13 將每個字母轉換回來就得到 flag , VprPGS => IceCTF

Move Along

This site seems awfully suspicious, do you think you can figure out what they're hiding?

move_along 這個資料夾沒有將 網頁 indexes 功能關掉,裡面有 flag 相關資料。

Substituted

We got a substitute flag, I hear they are pretty lax on the rules... crypted.txt

從 crypted.txt 中看到一段很像 flag 的文字 "WvyVKT{jzgjrd_zwdkym_ke_reso_dsbdkwksky_tzjqd}" ,很明顯的 WvyVKT 要翻成 IceCTF ,所以觀察這篇文章,將每個字母對應表找出來,就能得到正確的 flag。

IRC I

There is someone sharing flags on our IRC server, can you find him and stop him? glitch.is:6667

查看 glitch 這個 user 有 join 哪些 room ,其中一個 room 有 flag 。

Alien Message

We found this suspicous image online and it looked like it had been planted there by an alien life form. Can you see if you can figure out what they're trying to tell us?

上 Google 查 alien message , 就會查到對照表,有對照表,flag 就很容易得到了 "good news i like futurama and their amazing easter eggs"。

Time Traveler

I can assure you that the flag was on this website at some point in time.

題目很清楚的告訴我們"時間旅行",要麻看未來時間,不然就看過去時間,解法就是去 https://web.archive.org/ 這個網站,尋將 time-traveler 這個網站,找到他過去時間的頁面。

Scavenger Hunt

There is a flag hidden somewhere on our website, do you think you can find it? Good luck!

這題只說 flag 藏在他們的網站,要我們自已去找,線索給的很少,一開始我還以為會藏在 shell 裡面,結果 flag 卻不是藏在 play.icec.tf 的網站裡面,也不在它的分頁,最後我是在主站的 sponsors 頁面中找到。

Stage 2

Complacent

These silly bankers have gotten pretty complacent with their self signed SSL certificate. I wonder if there's anything in there. complacent.vuln.icec.tf

查看 SSL certificate 就會找到 flag 。

Hidden in Plain Sight

Make sure you take a real close look at it, it should be right there! /home/plain_sight/ or download it here

plain_sight 很明顯的告訴我們,flag 是用明確儲左,用 vim %!xxd 看 hex dump 的內容,再找一下有關 IceCTF 的字眼,就得到 flag 囉!

Flag Storage

What a cheat, I was promised a flag and I can't even log in. Can you get in for me? flagstorage.vuln.icec.tf. They seem to hash their passwords, but I think the problem is somehow related to this.

題目已經告訴我們要用 SQL Injection ,但是當我們輸入 " ' or 1=1-- " 卻沒辦法登入 ,看了網頁原始碼才發現, password 這一欄被 JS 用 sha-256 加密過,用 chrome inspect element 修改一下 form ,讓 password 這個欄位,可以正常送出未加密的 SQL Injection 語法即可得到 flag 。

RSA?

John was messing with RSA again... he encrypted our flag! I have a strong feeling he had no idea what he was doing however, can you get the flag for us? flag.txt

把變數 c 從 hex 轉成 ascii 就會得到 flag 。

Thor's a hacker now

Thor has been staring at this for hours and he can't make any sense out of it, can you help him figure out what it is? thor.txt

看 hex string ,前四個字寫著 lzip ,上網查查這個名詞,發現它是跟 gzip 很像的加解壓縮軟體 ,lzip 官網在這 http://www.nongnu.org/lzip/manual/lzip_manual.html ,首先下載它的 lzip source code ,再來把 thor.txt 用 linux 指令 xxd -r 轉換成 binary file ,再執行 lzip -d thor.lz 得到下面這個錯誤訊息。

Example
  1. $ cat thor.txt | xxd -r > thor.lz
  2. $ lzip -d thor.lz
  3. thor.lz: Invalid dictionary size in member header.
  4. lzip: Deleting output file 'thor', if it exists.

訊息告訴我們檔案的 header 有問題,所以先去 lzip 官網查 header 格式,查到 DS (coded dictionary size, 1 byte) 這個欄位在檔案第六個 byte 的位置,一個 byte 0 ~ 255 只有 256 種可能,所以我寫一個小程式,將第六個 byte 從 0 試到 255 就成功將這個 lzip 檔解出來,也得到 flag。

Exposed!

John is pretty happy with himself, he just made his first website! He used all the hip and cool systems, like NginX, PHP and Git! Everyone is so happy for him, but can you get him to give you the flag?

這個網站把 .git 資料夾也一起上傳到伺服器,所以我們要去偷 .git 裡 commit 的資料,把 flag 找出來,方式可以參考這篇教學: https://en.internetwache.org/dont-publicly-expose-git-or-how-we-downloaded-your-websites-sourcecode-an-analysis-of-alexas-1m-28-07-2015/。

首先 download http://exposed.vuln.icec.tf/.git/refs/headers/master ,得到一個 hash 過的 object id ,用這個 id 拼出 "git/objects/a0/1751ff89f1c1dfca8b16a81d7dd1f28c18d9ca" 這個路徑,就能下載 .git 裡面的檔案。

找到一個 flag.txt ,但卻不是答案 IceCTF{this_isnt_the_flag_either}

看舊一點的 flag.php ,有看到 flag IceCTF{not_this_flag} ,但也不是答案

最後下載每一個 blob 檔,在其中一個 git object id 中得到正確的 flag。

結束後,我寫了一個工具,用程式來自動下載 .git 資料夾 : https://github.com/puritys/download-git

Smashing Profit!

Do you think you can make this program jump to somewhere it isn't supposed to? Where we're going we don't need buffers! /home/profit/ on the shell.

登入 IceCTF shell ,然後先用 gdb profit 來看程式的 assemble 執行過程,使用 disass main, disass start,再自已改 memory address: disass 0x0804850c 可以查到有一個 function 叫 flag 。


  • disass main , disass start , disass flag
  • 執行 profit 並輸入一個很長的 args ,試著造成程式 coredump,並記下 args 的長度。
  • 在 gdb 中查詢 coredump memory log,會找到被 buffer overflow 寫入的位址被我們覆寫了。
  • 這題要覆寫兩個地方,分別是 1. 0x0804850b 這是 function flag 的執行點,2. 0x0804858d 這是 function main 的執行點,讓程式執行我們覆寫的 address ,先執行 flag 再執行一次 main ,程式就會印出 flag 。
Example
  1. echo -e 0x8d,0x85,0x04,0x08,0x0b,0x85,0x04,0x08 | xxd -r | xargs -t -n 1 -I% echo "aaaaaaaaaaaaaaaaabbbbbbbbaaaaaaaaaaaaaaaaabbbbbbbbaaabbbbaaaaaaaaaaaflag%" | ./profit
  2.  
  3. //result
  4. Smashing the stack for fun and...?
  5. IceCTF{who_xxx_xxxxx}

Demo

I found this awesome premium shell, but my demo version just ran out... can you help me crack it? /home/demo/ on the shell.
file list
  1. -rwxr-sr-x 1 root demo 5.6K Aug 12 09:08 demo
  2. -rw-r--r-- 1 root root 458 Aug 12 09:08 demo.c
  3. -r--r----- 1 root demo 33 Aug 12 09:08 flag.txt
  4. -rw-r--r-- 1 root root 83 Aug 12 09:08 Makefile

getenv("_") 代表取得執行檔的名稱 (如 demo),所以我將 demo 改名為 icesh,這樣就能夠通過第一關進入 shell ,但是進入 shell 的身份是我們自已的 account,還是沒有權限讀取 flag.txx,再看程式碼發現有一行 getegid , setresgid ,這行會取得 effective group id ,也就是檔案的 group,然後再 set 到 real group,看樣子我們得執行原生的 demo 檔才行,因為這樣檔案才有 demo 這個 group,最後我使用 symbolic link 拿到 flag: ln -s /home/demo/demo ~/icesh

Miners!

The miners website has been working on adding a login portal so that all miners can get the flag, but they haven't made any accounts! However, your boss demands the flag now! Can you get in anyway? miners.vuln.icec.tf

資料庫沒有帳號,所以可以用 "union" 的方式得到一筆資料,"' union all select ..."。

Kitty

They managed to secure their website this time and moved the hashing to the server :(. We managed to leak this hash of the admin's password though! c7e83c01ed3ef54812673569b2d79c4e1f6554ffeb27706e98c067de9ab12d1a. Can you get the flag? kitty.vuln.icec.tf

Google 那段 hash string ,就會知道密碼是 "?o??*" 。


回應 (Leave a comment)