write-ups/CTF

b01lers CTF, Scrambled write-up

2020. 3. 17. 17:05

영화 'the social network'에서 내가 가장 좋아하는 장면

 

 약간 게싱?이기도 하면서 스크립트 짜면 쉽게 풀 수 있었던 문제같다. 문제 사이트로 들어가면 다음과 같은 화면을 볼 수 있다. 

 

[*] url : http://web.ctf.b01lers.com:1002/

 

 이렇게 캡처 사진만 보면 별게 없어보이지만, html 소스를 보면 더 별게 없다. 이게 끝이다. 보통 이런 경우 robots.txt 에 숨겨진 디렉터리가 존재하거나, Cookie에 무언가 값을 넣어두거나, .git, index.php~ 등의 소스유출을 의도하는게 대부분이다. 이 문제에서는 쿠키에 이상한 값을 넣어놓았다. 

 

쿠키를 보면 알 수 없는 값들이 존재한다. 

 

 

 뭔지 영문을 알 수가 없는 이 값 때문에 '게싱'으로 푸는 문제임을 직감하고 그냥 넘어가려고 했지만, 이런 ㅈ밥문제는 내가 뚝배기를 깨버려야 한다는 정의감에 문제를 다시 잡았다. 계속 새로고침하니까 쿠키의 앞과 뒤에 padding되어 있는 'kxkxkxkxsh'라는 문자열만을 제외하곤 transmissions 값이 계속 변했다. 그래서 padding 이 붙여있는 이 값은 유의미한 값임을 직감하였고, 나의 녹슬지 않은 게싱 실력으로 이 문자열은 flag의 두 문자와 해당 문자열의 첫 문자의 index 값임을 알아차렸다. 그래서 아래와 같은 코드를 작성하였다. 

 

#!/usr/bin/env python3

import requests
from urllib.parse import unquote

url = 'http://web.ctf.b01lers.com:1002/'

def get_transmissions(frequency):
    headers = {
        'Cookie': 'frequency={0}; transmissions=asdf'.format(frequency)
    }
    r = requests.get(url, headers=headers)
    return r.cookies['transmissions']


def main():
    flag = ['' for i in range(1000)]
    i = 0
    while True:
        cookie = get_transmissions(i)
        segment = unquote(cookie.replace('kxkxkxkxsh', ''))
        index = int(segment[2:])
        flag[index] = segment[0:1]
        index += 1
        flag[index] = segment[1:2]
        print('[*] leaked flag :', ''.join(flag))
        i += 1
    print('[*] flag :', ''.join(flag))


if __name__ == '__main__':
    main()

 

 위의 Python 스크립트를 돌려보니 다음과 같은 결과를 얻을 수 있었다. 

 

[*] leaked flag : tf
[*] leaked flag : tfvo
[*] leaked flag : tf{Dvo
[*] leaked flag : tf{Dvo,T
[*] leaked flag : tf{Dvo,Tgu
[*] leaked flag : tf{Dvore,Tgu
[*] leaked flag : tf{Dwnvore,Tgu
[*] leaked flag : tf{Downvore,Tgu
[*] leaked flag : tf{Downllvore,Tgu
[*] leaked flag : tf{Downllvore,TguMy
[*] leaked flag : tf{Downllvore,TopguMy
[*] leaked flag : tf{Downllvore,TesopguMy
[*] leaked flag : tf{Downllnivore,TesopguMy
[*] leaked flag : tf{Downllnivore,TlesopguMy
[*] leaked flag : pctf{Downllnivore,TlesopguMy
[*] leaked flag : pctf{Downllnivore,TlesopguMy_
[*] leaked flag : pctf{Downllnivore,TlescopguMy_
[*] leaked flag : pctf{Downllnivore,TlescopguMy_
[*] leaked flag : pctf{Downllnivore,TlescopguMy_
[*] leaked flag : pctf{Downllnivore,TlescopguMy_on
[*] leaked flag : pctf{Downllnivore,TlescopguMy_on
[*] leaked flag : pctf{Downllnivore,TlescopguMy_on
[*] leaked flag : pctf{Downllnivore,Tlescopgun,My_on
[*] leaked flag : pctf{Downllnivore,Tlescopasgun,My_on
[*] leaked flag : pctf{Downllnivore,Tlescopasgun,My_on
[*] leaked flag : pctf{Downllnivore,Tlescopasgun,My_on
[*] leaked flag : pctf{Downllnivore,Tlescopasgun,My_on
[*] leaked flag : pctf{Downllnivore,Tlescopasgun,My_on
[*] leaked flag : pctf{DownllCanivore,Tlescopasgun,My_on
[*] leaked flag : pctf{DownllCanivore,Tlescopasgun,My_on
[*] leaked flag : pctf{DownllCanivore,Tlescopasgun,My_on
[*] leaked flag : pctf{Downe_llCanivore,Tlescopasgun,My_on
[*] leaked flag : pctf{Downe_llCanivore,Tlescopasgun,My_on
[*] leaked flag : pctf{Downe_llCanivore,Tlescopas_Bgun,My_on
[*] leaked flag : pctf{Downe_llCanivore,TlescopHas_Bgun,My_on
[*] leaked flag : pctf{Downe_llCanivore,TlescopHas_Bgun,My_on
[*] leaked flag : pctf{Downe_llCanivore,TlescopHas_Bgun,My_on
[*] leaked flag : pctf{Downe_llCanivore,TlescopHas_Bgun,My_on
[*] leaked flag : pctf{Downe_llCanivore,TlescopHas_Bgun,My_on
[*] leaked flag : pctf{Downe_llCanivore,TlescopHas_Bgun,My_on
[*] leaked flag : pctf{Downe_llCanivore,TlescopHas_Bgun,My_on
[*] leaked flag : pctf{Downe_llCanivore,TlescopHas_Bgun,My_on
[*] leaked flag : pctf{Downe_allCanivore,TlescopHas_Bgun,My_on
[*] leaked flag : pctf{Downe_alln,Canivore,TlescopHas_Bgun,My_on
[*] leaked flag : pctf{Downe_alln,Canivore,TlescopHas_Bgun,My_Don
[*] leaked flag : pctf{Downe_alln,Canivore,Tlescop,IHas_Bgun,My_Don
[*] leaked flag : pctf{Downe_alln,Canivore,Telescop,IHas_Bgun,My_Don
[*] leaked flag : pctf{Downe_alln,Canivore,Telescop,IHas_Bgun,My_Don
[*] leaked flag : pctf{Down_We_alln,Canivore,Telescop,IHas_Bgun,My_Don
[*] leaked flag : pctf{Down_We_alln,Canivore,Telescop,IHas_Bgun,My_Dons
[*] leaked flag : pctf{Down_We_alln,Canivore,Telescop,IHas_Bgun,My_Dons
[*] leaked flag : pctf{Down_We_alln,Canivore,Telescop,IHas_Bgun,My_Dons
[*] leaked flag : pctf{Down_We_alln,Canivore,Telescop,IHas_Bgun,My_Dons
[*] leaked flag : pctf{Down_Wh_e_alln,Canivore,Telescop,IHas_Bgun,My_Dons
[*] leaked flag : pctf{Down_Wh_e_alln,Canivore,Telescop,IHas_Bgun,My_Dmons
[*] leaked flag : pctf{Down_Wh_e_alln,Canivore,Telescop,IHas_Bgun,My_Dmons
[*] leaked flag : pctf{Down_Wh_e_alln,Canivore,Telescop,IHas_Bgun,My_Dmons
[*] leaked flag : pctf{Down_Wh_e_alln,Canivore,Telescop,IHas_Bgun,My_Dmons
[*] leaked flag : pctf{Down_Wh_e_Falln,Canivore,Telescop,IHas_Bgun,My_Dmons
[*] leaked flag : pctf{Down_Wh_e_Falln,Canivore,Telescop,IHas_Bgun,My_Dmons
[*] leaked flag : pctf{Down_Wh_e_Falln,Canivore,Telescop,IHas_Bgun,My_Dmons
[*] leaked flag : pctf{Down_Wh_e_Falln,Canivore,Telescop,IHas_Bgun,My_Dmons
[*] leaked flag : pctf{Down_Wh_e_Falln,Canivore,Telescop,IHas_Bgun,My_Dmons
[*] leaked flag : pctf{Down_Wh_e_Falln,Canivore,Telescop,IHas_Bgun,My_Dmons
[*] leaked flag : pctf{Down_Wh_e_Falln,Canivore,Telescop,IHas_Begun,My_Dmons
[*] leaked flag : pctf{Down_Wh_e_Falln,Canivore,Telescop,IHas_Begun,My_Dmons
[*] leaked flag : pctf{Down_Wh_e_Falln,Canivore,Telescop,IHas_Begun,My_Dmons
[*] leaked flag : pctf{Down_Wh_e_Falln,Canivore,Telescop,IHas_Begun,My_Dmons
[*] leaked flag : pctf{Down_Wih_e_Falln,Canivore,Telescop,IHas_Begun,My_Dmons
[*] leaked flag : pctf{Down_Wih_the_Falln,Canivore,Telescop,IHas_Begun,My_Dmons
[*] leaked flag : pctf{Down_Wih_the_Falln,Canivore,Telescop,It_Has_Begun,My_Dmons
[*] leaked flag : pctf{Down_Wih_the_Falln,Canivore,Telescop,It_Has_Begun,My_Demons
[*] leaked flag : pctf{Down_Wih_the_Falln,Canivore,Telescop,It_Has_Begun,My_Demons
[*] leaked flag : pctf{Down_Wih_the_Falln,Canivore,Telescop,It_Has_Begun,My_Demons
[*] leaked flag : pctf{Down_Wih_the_Falln,Canivore,Telescop,It_Has_Begun,My_Demons
[*] leaked flag : pctf{Down_Wih_the_Falln,Canivore,Telescop,It_Has_Begun,My_Demons
[*] leaked flag : pctf{Down_Wih_the_Falln,Canivore,Telescop,It_Has_Begun,My_Demons
[*] leaked flag : pctf{Down_Wih_the_Falln,Canivore,Telescop,It_Has_Begun,My_Demons
[*] leaked flag : pctf{Down_Wih_the_Falln,Canivore,Telescop,It_Has_Begun,My_Demons
[*] leaked flag : pctf{Down_Wih_the_Falln,Canivore,Telescop,It_Has_Begun,My_Demons
[*] leaked flag : pctf{Down_Wih_the_Falln,Canivore,Telescop,It_Has_Begun,My_Demons
[*] leaked flag : pctf{Down_Wih_the_Falln,Canivore,Telescop,It_Has_Begun,My_Demons
[*] leaked flag : pctf{Down_Wih_the_Falln,Canivore,Telescop,It_Has_Begun,My_Demons
[*] leaked flag : pctf{Down_Wih_the_Falln,Canivore,Telescop,It_Has_Begun,My_Demons
[*] leaked flag : pctf{Down_Wih_the_Falln,Canivore,Telescop,It_Has_Begun,My_Demons
[*] leaked flag : pctf{Down_Wih_the_Falln,Canivore,Telescop,It_Has_Begun,My_Demons
[*] leaked flag : pctf{Down_Wih_the_Falln,Canivore,Telescop,It_Has_Begun,My_Demons
[*] leaked flag : pctf{Down_Wih_the_Falln,Canivore,Telescop,It_Has_Begun,My_Demons
[*] leaked flag : pctf{Down_Wih_the_Falln,Canivore,Telescop,It_Has_Begun,My_Demons
[*] leaked flag : pctf{Down_Wih_the_Falln,Canivore,Telescop,It_Has_Begun,My_Demons
[*] leaked flag : pctf{Down_Wih_the_Falln,Canivore,Telescop,It_Has_Begun,My_Demons
[*] leaked flag : pctf{Down_Wih_the_Falln,Canivore,Telescop,It_Has_Begun,My_Demons
[*] leaked flag : pctf{Down_Wih_the_Falln,Canivore,Telescop,It_Has_Begun,My_Demons
[*] leaked flag : pctf{Down_Wih_the_Falln,Canivore,Telescop,It_Has_Begun,My_Demons
[*] leaked flag : pctf{Down_Wih_the_Falln,Canivore,Telescop,It_Has_Begun,My_Demons
[*] leaked flag : pctf{Down_Wih_the_Falln,Canivore,Telescop,It_Has_Begun,My_Demons
[*] leaked flag : pctf{Down_Wih_the_Falln,Canivore,Telescop,It_Has_Begun,My_Demons
[*] leaked flag : pctf{Down_Wih_the_Falln,Canivore,Telescop,It_Has_Begun,My_Demons
[*] leaked flag : pctf{Down_Wih_the_Falln,Canivore,Telescop,It_Has_Begun,My_Demons
[*] leaked flag : pctf{Down_Wih_the_Falln,Canivore,Telescop,It_Has_Begun,My_Demons
[*] leaked flag : pctf{Down_Wih_the_Falln,Canivore,Telescop,It_Has_Begun,My_Demons
[*] leaked flag : pctf{Down_Wih_the_Falln,Canivore,Telescop,It_Has_Begun,My_Demons
[*] leaked flag : pctf{Down_With_the_Falln,Canivore,Telescop,It_Has_Begun,My_Demons
[*] leaked flag : pctf{Down_With_the_Falln,Canivore,Telescop,It_Has_Begun,My_Demons
[*] leaked flag : pctf{Down_With_the_Falln,Canivore,Telescop,It_Has_Begun,My_Demons
[*] leaked flag : pctf{Down_With_the_Falln,Canivore,Telescop,It_Has_Begun,My_Demons
[*] leaked flag : pctf{Down_With_the_Falln,Canivore,Telescop,It_Has_Begun,My_Demons
[*] leaked flag : pctf{Down_With_the_Falln,Canivore,Telescop,It_Has_Begun,My_Demons
[*] leaked flag : pctf{Down_With_the_Falln,Canivore,Telescop,It_Has_Begun,My_Demons
[*] leaked flag : pctf{Down_With_the_Falln,Canivore,Telescop,It_Has_Begun,My_Demons
[*] leaked flag : pctf{Down_With_the_Falln,Canivore,Telescop,It_Has_Begun,My_Demons
[*] leaked flag : pctf{Down_With_the_Falln,Canivore,Telescop,It_Has_Begun,My_Demons
[*] leaked flag : pctf{Down_With_the_Falln,Canivore,Telescop,It_Has_Begun,My_Demons
[*] leaked flag : pctf{Down_With_the_Falln,Canivore,Telescop,It_Has_Begun,My_Demons
[*] leaked flag : pctf{Down_With_the_Falln,Canivore,Telescop,It_Has_Begun,My_Demons
[*] leaked flag : pctf{Down_With_the_Falln,Canivore,Telescop,It_Has_Begun,My_Demons
[*] leaked flag : pctf{Down_With_the_Falln,Canivore,Telescop,It_Has_Begun,My_Demons
[*] leaked flag : pctf{Down_With_the_Falln,Canivore,Telescop,It_Has_Begun,My_Demons
[*] leaked flag : pctf{Down_With_the_Falln,Canivore,Telescop,It_Has_Begun,My_Demons
[*] leaked flag : pctf{Down_With_the_Falln,Canivore,Telescop,It_Has_Begun,My_Demons
[*] leaked flag : pctf{Down_With_the_Falln,Canivore,Telescop,It_Has_Begun,My_Demons
[*] leaked flag : pctf{Down_With_the_Falln,Canivore,Telescop,It_Has_Begun,My_Demons
[*] leaked flag : pctf{Down_With_the_Falln,Canivore,Telescop,It_Has_Begun,My_Demons
[*] leaked flag : pctf{Down_With_the_Falln,Canivore,Telescop,It_Has_Begun,My_Demons
[*] leaked flag : pctf{Down_With_the_Falln,Canivore,Telescope,It_Has_Begun,My_Demons
[*] leaked flag : pctf{Down_With_the_Falln,Canivore,Telescope,It_Has_Begun,My_Demons
[*] leaked flag : pctf{Down_With_the_Falln,Canivore,Telescope,It_Has_Begun,My_Demons
[*] leaked flag : pctf{Down_With_the_Falln,Canivore,Telescope,It_Has_Begun,My_Demons
[*] leaked flag : pctf{Down_With_the_Falln,Canivore,Telescope,It_Has_Begun,My_Demons
[*] leaked flag : pctf{Down_With_the_Falln,Canivore,Telescope,It_Has_Begun,My_Demons
[*] leaked flag : pctf{Down_With_the_Falln,Canivore,Telescope,It_Has_Begun,My_Demons
[*] leaked flag : pctf{Down_With_the_Falln,Canivore,Telescope,It_Has_Begun,My_Demons
[*] leaked flag : pctf{Down_With_the_Falln,Canivore,Telescope,It_Has_Begun,My_Demons
[*] leaked flag : pctf{Down_With_the_Falln,Canivore,Telescope,It_Has_Begun,My_Demons
[*] leaked flag : pctf{Down_With_the_Falln,Canivore,Telescope,It_Has_Begun,My_Demons
[*] leaked flag : pctf{Down_With_the_Falln,Canivore,Telescope,It_Has_Begun,My_Demons
[*] leaked flag : pctf{Down_With_the_Falln,Canivore,Telescope,It_Has_Begun,My_Demons
[*] leaked flag : pctf{Down_With_the_Fallen,Canivore,Telescope,It_Has_Begun,My_Demons
[*] leaked flag : pctf{Down_With_the_Fallen,Canivore,Telescope,It_Has_Begun,My_Demons
[*] leaked flag : pctf{Down_With_the_Fallen,Canivore,Telescope,It_Has_Begun,My_Demons
[*] leaked flag : pctf{Down_With_the_Fallen,Canivore,Telescope,It_Has_Begun,My_Demons
[*] leaked flag : pctf{Down_With_the_Fallen,Canivore,Telescope,It_Has_Begun,My_Demons
[*] leaked flag : pctf{Down_With_the_Fallen,Canivore,Telescope,It_Has_Begun,My_Demons
[*] leaked flag : pctf{Down_With_the_Fallen,Canivore,Telescope,It_Has_Begun,My_Demons
[*] leaked flag : pctf{Down_With_the_Fallen,Canivore,Telescope,It_Has_Begun,My_Demons
[*] leaked flag : pctf{Down_With_the_Fallen,Canivore,Telescope,It_Has_Begun,My_Demons
[*] leaked flag : pctf{Down_With_the_Fallen,Canivore,Telescope,It_Has_Begun,My_Demons
[*] leaked flag : pctf{Down_With_the_Fallen,Canivore,Telescope,It_Has_Begun,My_Demons
[*] leaked flag : pctf{Down_With_the_Fallen,Canivore,Telescope,It_Has_Begun,My_Demons
[*] leaked flag : pctf{Down_With_the_Fallen,Canivore,Telescope,It_Has_Begun,My_Demons
[*] leaked flag : pctf{Down_With_the_Fallen,Canivore,Telescope,It_Has_Begun,My_Demons
[*] leaked flag : pctf{Down_With_the_Fallen,Canivore,Telescope,It_Has_Begun,My_Demons}
[*] leaked flag : pctf{Down_With_the_Fallen,Canivore,Telescope,It_Has_Begun,My_Demons}
[*] leaked flag : pctf{Down_With_the_Fallen,Canivore,Telescope,It_Has_Begun,My_Demons}
[*] leaked flag : pctf{Down_With_the_Fallen,Canivore,Telescope,It_Has_Begun,My_Demons}
[*] leaked flag : pctf{Down_With_the_Fallen,Canivore,Telescope,It_Has_Begun,My_Demons}
[*] leaked flag : pctf{Down_With_the_Fallen,Canivore,Telescope,It_Has_Begun,My_Demons}
[*] leaked flag : pctf{Down_With_the_Fallen,Canivore,Telescope,It_Has_Begun,My_Demons}
[*] leaked flag : pctf{Down_With_the_Fallen,Canivore,Telescope,It_Has_Begun,My_Demons}
[*] leaked flag : pctf{Down_With_the_Fallen,Canivore,Telescope,It_Has_Begun,My_Demons}
[*] leaked flag : pctf{Down_With_the_Fallen,Canivore,Telescope,It_Has_Begun,My_Demons}
[*] leaked flag : pctf{Down_With_the_Fallen,Canivore,Telescope,It_Has_Begun,My_Demons}
[*] leaked flag : pctf{Down_With_the_Fallen,Canivore,Telescope,It_Has_Begun,My_Demons}
[*] leaked flag : pctf{Down_With_the_Fallen,Canivore,Telescope,It_Has_Begun,My_Demons}
[*] leaked flag : pctf{Down_With_the_Fallen,Canivore,Telescope,It_Has_Begun,My_Demons}
[*] leaked flag : pctf{Down_With_the_Fallen,Canivore,Telescope,It_Has_Begun,My_Demons}
[*] leaked flag : pctf{Down_With_the_Fallen,Canivore,Telescope,It_Has_Begun,My_Demons}
[*] leaked flag : pctf{Down_With_the_Fallen,Canivore,Telescope,It_Has_Begun,My_Demons}
[*] leaked flag : pctf{Down_With_the_Fallen,Canivore,Telescope,It_Has_Begun,My_Demons}
[*] leaked flag : pctf{Down_With_the_Fallen,Canivore,Telescope,It_Has_Begun,My_Demons}
[*] leaked flag : pctf{Down_With_the_Fallen,Canivore,Telescope,It_Has_Begun,My_Demons}
[*] leaked flag : pctf{Down_With_the_Fallen,Canivore,Telescope,It_Has_Begun,My_Demons}
[*] leaked flag : pctf{Down_With_the_Fallen,Canivore,Telescope,It_Has_Begun,My_Demons}
[*] leaked flag : pctf{Down_With_the_Fallen,Canivore,Telescope,It_Has_Begun,My_Demons}
[*] leaked flag : pctf{Down_With_the_Fallen,Canivore,Telescope,It_Has_Begun,My_Demons}
[*] leaked flag : pctf{Down_With_the_Fallen,Canivore,Telescope,It_Has_Begun,My_Demons}
[*] leaked flag : pctf{Down_With_the_Fallen,Canivore,Telescope,It_Has_Begun,My_Demons}
[*] leaked flag : pctf{Down_With_the_Fallen,Canivore,Telescope,It_Has_Begun,My_Demons}
[*] leaked flag : pctf{Down_With_the_Fallen,Canivore,Telescope,It_Has_Begun,My_Demons}
[*] leaked flag : pctf{Down_With_the_Fallen,Canivore,Telescope,It_Has_Begun,My_Demons}
[*] leaked flag : pctf{Down_With_the_Fallen,Canivore,Telescope,It_Has_Begun,My_Demons}
[*] leaked flag : pctf{Down_With_the_Fallen,Canivore,Telescope,It_Has_Begun,My_Demons}
[*] leaked flag : pctf{Down_With_the_Fallen,Canivore,Telescope,It_Has_Begun,My_Demons}
[*] leaked flag : pctf{Down_With_the_Fallen,Canivore,Telescope,It_Has_Begun,My_Demons}
[*] leaked flag : pctf{Down_With_the_Fallen,Carnivore,Telescope,It_Has_Begun,My_Demons}
[*] leaked flag : pctf{Down_With_the_Fallen,Carnivore,Telescope,It_Has_Begun,My_Demons}
[*] leaked flag : pctf{Down_With_the_Fallen,Carnivore,Telescope,It_Has_Begun,My_Demons}
[*] leaked flag : pctf{Down_With_the_Fallen,Carnivore,Telescope,It_Has_Begun,My_Demons}

 

[*] flag : pctf{Down_With_the_Fallen,Carnivore,Telescope,It_Has_Begun,My_Demons}

저작자표시 비영리 변경금지

'write-ups > CTF' 카테고리의 다른 글

SuSec CTF 2020 'Roll dice' write-up  (0) 2020.03.20
SuSec CTF write-up  (0) 2020.03.17
CONFidence CTF 2020 Teaser write-up  (0) 2020.03.16
2019 Christmas CTF watermelon write-up  (1) 2019.12.28
2019 사이버작전경연대회 학생부 예선에서 2등한 썰  (0) 2019.08.18