Participate SECCON CTF 2022

Author: Qwaz

SECCON/2022/babycmp/chall.baby

@@ -0,0 +1,22 @@
+from binascii import unhexlify
+
+rand_arr = b"Welcome to SECCON 2022"
+
+flag = unhexlify(
+    (
+        "04 20 2F 20 20 23 1E 59  44 1A 7F 35 75 36 2D 2B"
+        + "11 17 5A 03 6D 50 36 07  15 3C 09 01 04 47 2B 36"
+        + "41 0a 38"
+    ).replace(" ", "")
+)
+
+flag = bytearray(flag)
+flag[0] ^= 0x57
+
+for state in range(1, len(flag)):
+    t = state // 0x16 + 2 * (
+        state // 0x16 + (((((0x2E8BA2E8BA2E8BA3 * state) >> 64) & 0xFFFFFFFFFFFFFFFC)))
+    )
+    flag[state] ^= rand_arr[state - 2 * t]
+
+print(flag.decode())

SECCON/2022/babycmp/solver.py

@@ -0,0 +1,14 @@
+#!/bin/sh
+if [ -z "$1" ]
+then
+    echo "[+] ${0} <flag.txt>"
+    exit 1
+else
+    clamscan --bytecode-unsigned=yes --quiet -dflag.cbc "$1"
+    if [ $? -eq 1 ]
+    then
+        echo "Correct!"
+    else
+        echo "Wrong..."
+    fi
+fi

SECCON/2022/devil_hunter/check.sh

@@ -0,0 +1,23 @@
+ClamBCafhaio`lfcf|aa```c``a```|ah`cnbac`cecnb`c``beaacp`clamcoincidencejb:4096
+Seccon.Reversing.{FLAG};Engine:56-255,Target:0;0;0:534543434f4e7b
+Teddaaahdabahdacahdadahdaeahdafahdagahebdeebaddbdbahebndebceaacb`bbadb`baacb`bb`bb`bdaib`bdbfaah
+Eaeacabbae|aebgefafdf``adbbe|aecgefefkf``aebae|amcgefdgfgifbgegcgnfafmfef``
+G`ad`@`bdeBceBefBcfBcfBofBnfBnbBbeBefBfgBefBbgBcgBifBnfBgfBnbBfdBldBadBgd@`bad@Aa`bad@Aa`
+A`b`bLabaa`b`b`Faeac
+Baa``b`abTaa`aaab
+Bb`baaabbaeAc`BeadTbaab
+BTcab`b@dE
+A`aaLbhfb`dab`dab`daahabndabad`bndabad`b`b`aa`b`d`b`d`b`d`b`b`bad`bad`b`b`aa`b`d`b`b`aa`ah`aa`aa`b`b`aa`b`d`b`d`b`d`b`b`bad`bad`b`b`b`b`b`d`b`d`b`b`b`b`bad`b`b`bad`b`d`aa`b`b`aa`b`b`bad`b`b`bad`b`b`aa`aa`b`b`bad`b`b`bad`b`b`aa`aa`b`b`bad`b`b`bad`b`b`aa`aa`b`b`bad`b`b`bad`b`b`aa`aa`b`b`bad`b`b`bad`b`b`aa`aa`b`b`bad`b`b`bad`b`b`aa`aa`b`b`bad`b`b`bad`b`b`aa`aa`b`b`bad`b`b`bad`b`b`aa`aa`b`d`b`d`aa`Fbcgah
+Bbadaedbbodad@dbadagdbbodaf@db`bahabbadAgd@db`d`bb@habTbaab
+Baaaiiab`dbbaBdbhb`d`bbbbaabTaaaiabac
+Bb`dajbbabajb`dakh`ajB`bhb`dalj`akB`bhb`bamn`albadandbbodad@dbadaocbbadanamb`bb`aabbabaoAadaabaanab`bb`aAadb`dbbaa`ajAahb`d`bb@h`Taabaaagaa
+Bb`bbcaabbabacAadaabdakab`bbca@dahbeabbacbeaaabfaeaahbeaBmgaaabgak`bdabfab`d`bb@h`Taabgaadag
+Bb`bbhaabbabacAadaabiakab`bbha@db`d`bb@haab`d`bb@h`Taabiaagae
+Bb`dbjabbaabjab`dbkah`bjaB`bhb`dblaj`bkaB`bhb`bbman`blabadbnadbbodad@dbadboacbbadbnabmab`bb`bgbboab`bbab`baacb`bb`dbbbh`bjaBnahb`dbcbj`bbbB`bhb`bbdbn`bcbb`bbebc`Add@dbadbfbcbbadagbebb`bbgbc`Addbdbbadbhbcbbadbfbbgbb`b`fbbabbhbb`dbiba`bjaAdhaabjbiab`dbibBdbhb`d`bbbibaaTaabjbaeaf
+Bb`bbkbgbagaablbeab`bbkbHbj`hnicgdb`bbmbc`Add@dbadbnbcbbadagbmbb`bbobc`AddAadbadb`ccbbadbnbbobb`bbacgbb`caabbceab`bbacHcj`hnjjcdaabcck`blbbbcb`bbdcc`Add@dbadbeccbbadagbdcb`bbfcc`AddAbdbadbgccbbadbecbfcb`bbhcgbbgcaabiceab`bbhcHoigndjkcdaabjck`bccbicb`bbkcc`Add@dbadblccbbadagbkcb`bbmcc`AddAcdbadbnccbbadblcbmcb`bbocgbbncaab`deab`bbocHcoaljkhgdaabadk`bjcb`db`bbbdc`Add@dbadbcdcbbadagbbdb`bbddc`AddAddbadbedcbbadbcdbddb`bbfdgbbedaabgdeab`bbfdHcoalionedaabhdk`badbgdb`bbidc`Add@dbadbjdcbbadagbidb`bbkdc`AddAedbadbldcbbadbjdbkdb`bbmdgbbldaabndeab`bbmdHoilnikkcdaabodk`bhdbndb`bb`ec`Add@dbadbaecbbadagb`eb`bbbec`AddAfdbadbcecbbadbaebbeb`bbdegbbceaabeeeab`bbdeHdochfheedaabfek`bodbeeb`bbgec`Add@dbadbhecbbadagbgeb`bbiec`AddAgdbadbjecbbadbhebieb`bbkegbbjeaableeab`bbkeHdiemjoeedaabmek`bfebleb`bbnec`Add@dbadboecbbadagbneb`bb`fc`AddAhdbadbafcbbadboeb`fb`bbbfgbbafaabcfeab`bbbfHoimmoklfdaabdfk`bmebcfb`dbefo`bdfb`d`bbbef`Tbaag
+Bb`dbffbb`bffaabgfn`bffTcaaabgfE
+Aab`bLbaab`b`b`dab`dab`d`b`d`b`b`b`b`b`b`b`b`b`b`b`b`b`b`b`b`b`b`b`b`aa`b`d`b`d`Fbfaac
+Bb`d`bb@habb`d`bbG`lckjljhaaTbaaa
+Bb`dacbbaaacb`dadbbabadb`baen`acb`bafn`adb`bagh`afAcdb`bahi``agb`baik`ahBoodb`bajm`aiaeb`bakh`ajAhdb`bali`aeBhadb`baml`akalb`bana`afAadaaaoeab`banAddb`db`ao`anb`dbaao`amb`d`bbb`aabb`d`bbbaaaaTaaaoabaa
+BTcab`bamE
+Snfofdg`bcgof`befafcgig`bjc`ej`

SECCON/2022/devil_hunter/flag.cbc

@@ -0,0 +1 @@
+SECCON{AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA}

SECCON/2022/devil_hunter/flag.txt

@@ -0,0 +1,148 @@
+diff --git a/clambc/bcrun.c b/clambc/bcrun.c
+index 669df0a93..718fbc31d 100644
+--- a/clambc/bcrun.c
++++ b/clambc/bcrun.c
+@@ -402,6 +402,26 @@ int main(int argc, char *argv[])
+             fprintf(stderr, "Out of memory\n");
+             exit(3);
+         }
++        
++        if ((opt = optget(opts, "input"))->enabled) {
++            fd = open(opt->strarg, O_RDONLY | O_BINARY);
++            if (fd == -1) {
++                fprintf(stderr, "Unable to open input file %s: %s\n", opt->strarg, strerror(errno));
++                optfree(opts);
++                exit(5);
++            }
++            map = fmap(fd, 0, 0, opt->strarg);
++            if (!map) {
++                fprintf(stderr, "Unable to map input file %s\n", opt->strarg);
++                exit(5);
++            }
++            rc = cli_bytecode_context_setfile(ctx, map);
++            if (rc != CL_SUCCESS) {
++                fprintf(stderr, "Unable to set file %s: %s\n", opt->strarg, cl_strerror(rc));
++                optfree(opts);
++                exit(5);
++            }
++        }
+ 
+         // ctx was memset, so recursion_level starts at 0.
+         cctx.recursion_stack[cctx.recursion_level].fmap = map;
+@@ -416,6 +436,7 @@ int main(int argc, char *argv[])
+         dbg_state.col      = 0;
+         dbg_state.showline = !optget(opts, "no-trace-showsource")->enabled;
+         tracelevel         = optget(opts, "trace")->numarg;
++        printf("tracelevel %d\n", tracelevel);
+         cli_bytecode_context_set_trace(ctx, tracelevel,
+                                        tracehook,
+                                        tracehook_op,
+@@ -440,25 +461,6 @@ int main(int argc, char *argv[])
+             }
+         }
+ 
+-        if ((opt = optget(opts, "input"))->enabled) {
+-            fd = open(opt->strarg, O_RDONLY | O_BINARY);
+-            if (fd == -1) {
+-                fprintf(stderr, "Unable to open input file %s: %s\n", opt->strarg, strerror(errno));
+-                optfree(opts);
+-                exit(5);
+-            }
+-            map = fmap(fd, 0, 0, opt->strarg);
+-            if (!map) {
+-                fprintf(stderr, "Unable to map input file %s\n", opt->strarg);
+-                exit(5);
+-            }
+-            rc = cli_bytecode_context_setfile(ctx, map);
+-            if (rc != CL_SUCCESS) {
+-                fprintf(stderr, "Unable to set file %s: %s\n", opt->strarg, cl_strerror(rc));
+-                optfree(opts);
+-                exit(5);
+-            }
+-        }
+         /* for testing */
+         ctx->hooks.match_counts  = deadbeefcounts;
+         ctx->hooks.match_offsets = deadbeefcounts;
+diff --git a/libclamav/bytecode_vm.c b/libclamav/bytecode_vm.c
+index 74953c852..925cf0bb4 100644
+--- a/libclamav/bytecode_vm.c
++++ b/libclamav/bytecode_vm.c
+@@ -79,7 +79,7 @@ static inline int bcfail(const char *msg, long a, long b,
+ #define CHECK_EQ(a, b)
+ #define CHECK_GT(a, b)
+ #endif
+-#if 0 /* too verbose, use #ifdef CL_DEBUG if needed */
++#if 1 /* too verbose, use #ifdef CL_DEBUG if needed */
+ #define CHECK_UNREACHABLE                                \
+     do {                                                 \
+         cli_dbgmsg("bytecode: unreachable executed!\n"); \
+@@ -737,29 +737,29 @@ int cli_vm_execute(const struct cli_bc *bc, struct cli_bc_ctx *ctx, const struct
+         TRACE_INST(inst);
+ 
+         switch (inst->interp_op) {
+-            DEFINE_BINOP(OP_BC_ADD, res = op0 + op1);
+-            DEFINE_BINOP(OP_BC_SUB, res = op0 - op1);
+-            DEFINE_BINOP(OP_BC_MUL, res = op0 * op1);
++            DEFINE_BINOP(OP_BC_ADD, printf("%d + %d\n", op0, op1); res = op0 + op1);
++            DEFINE_BINOP(OP_BC_SUB, printf("%d - %d\n", op0, op1); res = op0 - op1);
++            DEFINE_BINOP(OP_BC_MUL, printf("%d * %d\n", op0, op1); res = op0 * op1);
+ 
+             DEFINE_BINOP(OP_BC_UDIV, CHECK_OP(op1 == 0, "bytecode attempted to execute udiv#0\n");
+-                         res = op0 / op1);
++                         printf("%d / %d\n", op0, op1); res = op0 / op1);
+             DEFINE_BINOP(OP_BC_SDIV, CHECK_OP(check_sdivops(sop0, sop1), "bytecode attempted to execute sdiv#0\n");
+-                         res = sop0 / sop1);
++                         printf("%d /s %d\n", op0, op1); res = sop0 / sop1);
+             DEFINE_BINOP(OP_BC_UREM, CHECK_OP(op1 == 0, "bytecode attempted to execute urem#0\n");
+-                         res = op0 % op1);
++                         printf("%d %% %d\n", op0, op1); res = op0 % op1);
+             DEFINE_BINOP(OP_BC_SREM, CHECK_OP(check_sdivops(sop0, sop1), "bytecode attempted to execute urem#0\n");
+-                         res = sop0 % sop1);
++                         printf("%d %%s %d\n", op0, op1); res = sop0 % sop1);
+ 
+             DEFINE_BINOP(OP_BC_SHL, CHECK_OP(op1 > inst->type, "bytecode attempted to execute shl greater than bitwidth\n");
+-                         res = op0 << op1);
++                         printf("%d << %d\n", op0, op1); res = op0 << op1);
+             DEFINE_BINOP(OP_BC_LSHR, CHECK_OP(op1 > inst->type, "bytecode attempted to execute lshr greater than bitwidth\n");
+-                         res = op0 >> op1);
++                         printf("%d >> %d\n", op0, op1); res = op0 >> op1);
+             DEFINE_BINOP(OP_BC_ASHR, CHECK_OP(op1 > inst->type, "bytecode attempted to execute ashr greater than bitwidth\n");
+-                         res = CLI_SRS(sop0, op1));
++                         printf("%d >>a %d\n", op0, op1); res = CLI_SRS(sop0, op1));
+ 
+-            DEFINE_BINOP(OP_BC_AND, res = op0 & op1);
+-            DEFINE_BINOP(OP_BC_OR, res = op0 | op1);
+-            DEFINE_BINOP(OP_BC_XOR, res = op0 ^ op1);
++            DEFINE_BINOP(OP_BC_AND, printf("%d & %d\n", op0, op1); res = op0 & op1);
++            DEFINE_BINOP(OP_BC_OR, printf("%d | %d\n", op0, op1); res = op0 | op1);
++            DEFINE_BINOP(OP_BC_XOR, printf("%d ^ %d\n", op0, op1); res = op0 ^ op1);
+ 
+             // clang-format off
+             DEFINE_SCASTOP(OP_BC_SEXT,
+@@ -803,16 +803,16 @@ int cli_vm_execute(const struct cli_bc *bc, struct cli_bc_ctx *ctx, const struct
+             DEFINE_OP_BC_RET_N(OP_BC_RET_VOID * 5 + 3, uint8_t, (void), (void));
+             DEFINE_OP_BC_RET_N(OP_BC_RET_VOID * 5 + 4, uint8_t, (void), (void));
+ 
+-            DEFINE_ICMPOP(OP_BC_ICMP_EQ, res = (op0 == op1));
+-            DEFINE_ICMPOP(OP_BC_ICMP_NE, res = (op0 != op1));
+-            DEFINE_ICMPOP(OP_BC_ICMP_UGT, res = (op0 > op1));
+-            DEFINE_ICMPOP(OP_BC_ICMP_UGE, res = (op0 >= op1));
+-            DEFINE_ICMPOP(OP_BC_ICMP_ULT, res = (op0 < op1));
+-            DEFINE_ICMPOP(OP_BC_ICMP_ULE, res = (op0 <= op1));
+-            DEFINE_ICMPOP(OP_BC_ICMP_SGT, res = (sop0 > sop1));
+-            DEFINE_ICMPOP(OP_BC_ICMP_SGE, res = (sop0 >= sop1));
+-            DEFINE_ICMPOP(OP_BC_ICMP_SLE, res = (sop0 <= sop1));
+-            DEFINE_ICMPOP(OP_BC_ICMP_SLT, res = (sop0 < sop1));
++            DEFINE_ICMPOP(OP_BC_ICMP_EQ, printf("%d == %d (%08x == %08x)\n", op0, op1, op0, op1); res = (op0 == op1));
++            DEFINE_ICMPOP(OP_BC_ICMP_NE, printf("%d != %d\n", op0, op1); res = (op0 != op1));
++            DEFINE_ICMPOP(OP_BC_ICMP_UGT, printf("%d > %d\n", op0, op1); res = (op0 > op1));
++            DEFINE_ICMPOP(OP_BC_ICMP_UGE, printf("%d >= %d\n", op0, op1); res = (op0 >= op1));
++            DEFINE_ICMPOP(OP_BC_ICMP_ULT, printf("%d < %d\n", op0, op1); res = (op0 < op1));
++            DEFINE_ICMPOP(OP_BC_ICMP_ULE, printf("%d <= %d\n", op0, op1); res = (op0 <= op1));
++            DEFINE_ICMPOP(OP_BC_ICMP_SGT, printf("%d >s %d\n", op0, op1); res = (sop0 > sop1));
++            DEFINE_ICMPOP(OP_BC_ICMP_SGE, printf("%d >=s %d\n", op0, op1); res = (sop0 >= sop1));
++            DEFINE_ICMPOP(OP_BC_ICMP_SLE, printf("%d <=s %d\n", op0, op1); res = (sop0 <= sop1));
++            DEFINE_ICMPOP(OP_BC_ICMP_SLT, printf("%d <s %d\n", op0, op1); res = (sop0 < sop1));
+ 
+             case OP_BC_SELECT * 5: {
+                 uint8_t t0, t1, t2;

SECCON/2022/devil_hunter/solver-debug.patch

@@ -0,0 +1,14 @@
+from binascii import unhexlify
+
+# result of A * 36
+magic1 = bytearray(unhexlify("739e80a23aae80a33ba4e79f78bac1f35ef9c1f33bb9ec9f558683f455fad5946cbfdd9f"))
+magic2 = bytearray(unhexlify("4b8bf2814b8bf2814b8bf2814b8bf2814b8bf2814b8bf2814b8bf2814b8bf2814b8bf281"))
+
+flag = ""
+
+for i in range(36):
+    x = (i + 3) % 4 + i // 4 * 4
+    flag += chr(magic1[x] ^ magic2[x] ^ ord("A"))
+
+# SECCON{byT3c0d3_1nT3rpr3T3r_1s_4_L0T_0f_fun}
+print(flag)

SECCON/2022/devil_hunter/solver.py

@@ -0,0 +1,30 @@
+from Crypto.Util.number import *
+from flag import flag
+
+p = getStrongPrime(512)
+q = getStrongPrime(512)
+e = 65537
+n = p * q
+phi = (p - 1) * (q - 1)
+
+d = pow(e, -1, phi)
+
+print(f"n = {n}")
+print(f"e = {e}")
+print(f"flag_length = {flag.bit_length()}")
+
+# Oops! encrypt without padding!
+c = pow(flag, e, n)
+print(f"c = {c}")
+
+# padding format: 0b0011111111........
+def check_padding(c):
+    padding_pos = n.bit_length() - 2
+    m = pow(c, d, n)
+
+    return (m >> (padding_pos - 8)) == 0xFF
+
+
+while True:
+    c = int(input("c = "))
+    print(check_padding(c))

SECCON/2022/this_is_not_lsb/problem.py

@@ -0,0 +1,98 @@
+from Crypto.Util.number import long_to_bytes
+from pwn import *
+
+con = remote("this-is-not-lsb.seccon.games", 8080)
+
+con.recvuntil(b"n = ")
+n = int(con.recvline().strip())
+con.recvuntil(b"e = ")
+e = int(con.recvline().strip())
+assert e == 65537
+con.recvuntil(b"flag_length = ")
+flag_length = int(con.recvline().strip())
+assert flag_length == 439
+
+con.recvuntil(b"c = ")
+ct = int(con.recvline().strip())
+
+
+def check_coeff(x):
+    con.recvuntil(b"c = ")
+    q = (pow(x, e, n) * ct) % n
+    con.sendline(b"%d" % q)
+    return con.recvline().strip() == b"True"
+
+
+# prefix = None
+prefix = 0b1010011010
+
+
+if prefix is None:
+    intervals = []
+
+    for prefix in range(2**9):
+        flag_lo = (2**9 + prefix) << 429
+        flag_hi = flag_lo + ((1 << 429) - 1)
+
+        target_lo = 0b0011111111 << 1014
+        target_hi = target_lo + ((1 << 1014) - 1)
+
+        interval = (
+            (target_lo // flag_lo) + 1,
+            (target_hi // flag_hi),
+        )
+
+        assert interval[1] >= interval[0]
+        intervals.append(interval)
+
+    prev_lo = 1 << 1024
+
+    for prefix in range(2**9):
+        q = min(prev_lo - 1, intervals[prefix][1])
+        if check_coeff(q):
+            break
+
+        # assert unique interval range exists
+        if prefix != 0 and prefix != len(intervals) - 1:
+            assert intervals[prefix - 1][0] >= intervals[prefix + 1][1]
+
+    prefix = 2**9 + prefix
+
+# highest 10 bit is decided
+log.success(bin(prefix))
+
+known_bit = 10
+while known_bit < flag_length:
+    target_bit = known_bit + 1
+
+    zero_lo = ((prefix << 1) + 0) << (flag_length - target_bit)
+    zero_hi = zero_lo + ((1 << (flag_length - target_bit)) - 1)
+
+    one_lo = ((prefix << 1) + 1) << (flag_length - target_bit)
+    one_hi = one_lo + ((1 << (flag_length - target_bit)) - 1)
+
+    n_coeff = ((1 << (target_bit + 1013)) - (0b0011111111 << 1014)) // n + 1
+    target_lo = (0b0011111111 << 1014) + n * n_coeff
+    target_hi = target_lo + ((1 << 1014) - 1)
+
+    zero_interval = (
+        (target_lo // zero_lo) + 1,
+        (target_hi // zero_hi),
+    )
+    
+    one_interval = (
+        (target_lo // one_lo) + 1,
+        (target_hi // one_hi),
+    )
+
+    if check_coeff(zero_interval[1]):
+        prefix = prefix * 2
+    else:
+        assert check_coeff(one_interval[1])
+        prefix = prefix * 2 + 1
+    known_bit += 1
+
+    print(bin(prefix))
+
+# SECCON{WeLC0me_t0_tHe_MirRoR_LaNd!_tHIs_is_lSb_orAcLe!}
+print(long_to_bytes(prefix).decode())

SECCON/2022/this_is_not_lsb/solver.py

@@ -0,0 +1,25 @@
+FROM ubuntu:jammy
+
+RUN apt-get update && apt-get -y install openssh-server file procps
+
+WORKDIR /app
+
+RUN groupadd -r ctf && useradd -m -r -g ctf ctf
+RUN echo "ctf:ctf" | chpasswd
+
+RUN echo 'ForceCommand "/app/checker.sh"' >> /etc/ssh/sshd_config
+RUN echo 'Port 2022' >> /etc/ssh/sshd_config
+RUN mkdir /var/run/sshd
+
+COPY flag.txt /
+COPY checker.sh /app/
+
+RUN chmod 444 /flag.txt
+RUN chmod 555 /app/checker.sh
+
+CMD while true; do \
+        # kill long running processes for ssh
+        ps -eo comm,pid,etimes | awk '/^checker.sh/ {if ($3 > 10) { print $2 }}' | xargs --no-run-if-empty kill -9; \
+        sleep 5s; \
+    done & \
+    /sbin/sshd -D

SECCON/2022/txtchecker/Dockerfile

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+read -p "Input a file path: " filepath
+file $filepath 2>/dev/null | grep -q "ASCII text" 2>/dev/null
+
+# TODO: print the result the above command.
+#   $? == 0 -> It's a text file.
+#   $? != 0 -> It's not a text file.
+exit 0