R136A1
[ctf-d] fore1-hit-the-core :: Disk (strings) 본문
fore1.core 파일을 받을 수 있다.
core 파일은 프로그램이 특정 시점에 작업 중이던 메모리 상태를 기록한 것으로
보통 비정상적으로 종료됐을 때 만들어진다고 한다.
▶ 전체 텍스트
CORE
code
./code
CORE
CORE
////
////
////
LINUX
////
////
////
IGISCORE
CORE
ELIFCORE
/home/oddcoder/projects/ctf/forensics/FORE1/code
/usr/lib64/libc-2.24.so
/usr/lib64/libc-2.24.so
/usr/lib64/ld-2.24.so
/usr/lib64/ld-2.24.so
/lib64/ld-linux-x86-64.so.2
:Wzc
__isoc99_scanf
GLIBC_2.7
libc.so.6
__libc_start_main
GLIBC_2.2.5
strlen
putchar
_Jv_RegisterClasses
_ITM_registerTMCloneTable
_ITM_deregisterTMCloneTable
__gmon_start__
UH-
ffffff.
AWAVA
AUATL
[]A\A]A^A_
cvqAeqacLtqazEigwiXobxrCrtuiTzahfFreqc{bnjrKwgk83kgd43j85ePgb_e_rwqr7fvbmHjklo3tews_hmkogooyf0vbnk0ii87Drfgh_n kiwutfb0ghk9ro987k5tfb_hjiouo087ptfcv}
;*3$"
(q9e
aliases
ethers
group
gshadow
hosts
initgroups
netgroup
networks
passwd
protocols
publickey
services
shadow
H^9e
`\9e
CAk[S
<KIn
P09e
/lib64/libc.so.6
@69e
X69e
(q9e
X69e
libc.so.6
/lib64
libc.so.6
X69e
X69e
(q9e
X69e
(q9e
X69e
X69e
X69e
X;9e
h{9e
(q9e
P^9e
X69e
`^9e
P^9e
_9e
0_9e
P_9e
@_9e
p^9e
(q9e
X69e
`?9e
(q9e
(q9e
X;9e
p;9e
8;9e
(q9e
(q9e
(q9e
(q9e
(q9e
(q9e
(q9e
(q9e
(q9e
(q9e
(q9e
(q9e
(q9e
(q9e
(q9e
(q9e
X{9e
X69e
(q9e
8{9e
0{9e
xy9e
xy9e
X{9e
linux-vdso.so.1
tls/x86_64/
P09e
X69e
@69e
X69e
@69e
(q9e
@69e
(q9e
@69e
X69e
@69e
(q9e
X69e
(q9e
(q9e
8;9e
X69e
X69e
X69e
X;9e
X69e
X69e
X;9e
(q9e
(q9e
X69e
(q9e
(q9e
<KIn
zx86_64
./code
XDG_RUNTIME_DIR=/run/user/1000
USER=oddcoder
LANG=en_GB.UTF-8
DISPLAY=:0
SHLVL=1
LOGNAME=oddcoder
XDG_VTNR=2
PWD=/home/oddcoder/projects/ctf/forensics/FORE1
XAUTHORITY=/run/user/1000/gdm/Xauthority
DESKTOP_AUTOSTART_ID=10ab109dba35c96ded148518641989298500000024500001
QT_QPA_PLATFORMTHEME=qgnomeplatform
JOURNAL_STREAM=8:36936
QTDIR=/usr/lib64/qt-3.3
XDG_SESSION_ID=2
DESKTOP_SESSION=gnome-xorg
XDG_SESSION_DESKTOP=gnome-xorg
GDMSESSION=gnome-xorg
GNOME_DESKTOP_SESSION_ID=this-is-deprecated
USERNAME=oddcoder
WINDOWPATH=2
COLORTERM=truecolor
DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus
MODULESHOME=/usr/share/Modules
HISTCONTROL=ignoredups
MAIL=/var/spool/mail/oddcoder
XDG_DATA_DIRS=/home/oddcoder/.local/share/flatpak/exports/share/:/var/lib/flatpak/exports/share/:/usr/local/share/:/usr/share/
XDG_MENU_PREFIX=gnome-
VTE_VERSION=4601
GDM_LANG=en_GB.UTF-8
HOSTNAME=localhost.localdomain
XDG_SESSION_TYPE=x11
SHELL=/bin/zsh
WINDOWID=48235210
TERM=xterm-256color
QTLIB=/usr/lib64/qt-3.3/lib
XDG_CURRENT_DESKTOP=GNOME
SSH_AUTH_SOCK=/run/user/1000/keyring/ssh
HISTSIZE=10000
PATH=/home/oddcoder/.nvm/versions/node/v7.2.1/bin:/opt/dex2jar:/opt/:/usr/lib64/qt-3.3/bin:/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/home/oddcoder/bin:/opt/android/build-tools/:/opt/android/extras/:/opt/android/platforms/:/opt/android/platform-tools/:/opt/android/sources/:/opt/android/system-images/:/opt/android/temp/:/opt/android/tools/:/home/oddcoder/projects/offdroid
MODULEPATH=/etc/scl/modulefiles:/etc/scl/modulefiles:/usr/share/Modules/modulefiles:/etc/modulefiles:/usr/share/modulefiles
SESSION_MANAGER=local/unix:@/tmp/.ICE-unix/2450,unix/unix:/tmp/.ICE-unix/2450
HOME=/home/oddcoder
XMODIFIERS=@im=ibus
QT_IM_MODULE=ibus
QTINC=/usr/lib64/qt-3.3/include
LOADEDMODULES=
XDG_SEAT=seat0
LESSOPEN=||/usr/bin/lesspipe.sh %s
OLDPWD=/home/oddcoder/projects/ctf/forensics
LS_COLORS=rs=0:di=38;5;33:ln=38;5;51:mh=00:pi=40;38;5;11:so=38;5;13:do=38;5;5:bd=48;5;232;38;5;11:cd=48;5;232;38;5;3:or=48;5;232;38;5;9:mi=01;05;37;41:su=48;5;196;38;5;15:sg=48;5;11;38;5;16:ca=48;5;196;38;5;226:tw=48;5;10;38;5;16:ow=48;5;10;38;5;21:st=48;5;21;38;5;15:ex=38;5;40:*.tar=38;5;9:*.tgz=38;5;9:*.arc=38;5;9:*.arj=38;5;9:*.taz=38;5;9:*.lha=38;5;9:*.lz4=38;5;9:*.lzh=38;5;9:*.lzma=38;5;9:*.tlz=38;5;9:*.txz=38;5;9:*.tzo=38;5;9:*.t7z=38;5;9:*.zip=38;5;9:*.z=38;5;9:*.Z=38;5;9:*.dz=38;5;9:*.gz=38;5;9:*.lrz=38;5;9:*.lz=38;5;9:*.lzo=38;5;9:*.xz=38;5;9:*.bz2=38;5;9:*.bz=38;5;9:*.tbz=38;5;9:*.tbz2=38;5;9:*.tz=38;5;9:*.deb=38;5;9:*.rpm=38;5;9:*.jar=38;5;9:*.war=38;5;9:*.ear=38;5;9:*.sar=38;5;9:*.rar=38;5;9:*.alz=38;5;9:*.ace=38;5;9:*.zoo=38;5;9:*.cpio=38;5;9:*.7z=38;5;9:*.rz=38;5;9:*.cab=38;5;9:*.jpg=38;5;13:*.jpeg=38;5;13:*.gif=38;5;13:*.bmp=38;5;13:*.pbm=38;5;13:*.pgm=38;5;13:*.ppm=38;5;13:*.tga=38;5;13:*.xbm=38;5;13:*.xpm=38;5;13:*.tif=38;5;13:*.tiff=38;5;13:*.png=38;5;13:*.svg=38;5;13:*.svgz=38;5;13:*.mng=38;5;13:*.pcx=38;5;13:*.mov=38;5;13:*.mpg=38;5;13:*.mpeg=38;5;13:*.m2v=38;5;13:*.mkv=38;5;13:*.webm=38;5;13:*.ogm=38;5;13:*.mp4=38;5;13:*.m4v=38;5;13:*.mp4v=38;5;13:*.vob=38;5;13:*.qt=38;5;13:*.nuv=38;5;13:*.wmv=38;5;13:*.asf=38;5;13:*.rm=38;5;13:*.rmvb=38;5;13:*.flc=38;5;13:*.avi=38;5;13:*.fli=38;5;13:*.flv=38;5;13:*.gl=38;5;13:*.dl=38;5;13:*.xcf=38;5;13:*.xwd=38;5;13:*.yuv=38;5;13:*.cgm=38;5;13:*.emf=38;5;13:*.ogv=38;5;13:*.ogx=38;5;13:*.aac=38;5;45:*.au=38;5;45:*.flac=38;5;45:*.m4a=38;5;45:*.mid=38;5;45:*.midi=38;5;45:*.mka=38;5;45:*.mp3=38;5;45:*.mpc=38;5;45:*.ogg=38;5;45:*.ra=38;5;45:*.wav=38;5;45:*.oga=38;5;45:*.opus=38;5;45:*.spx=38;5;45:*.xspf=38;5;45:
ZSH=/home/oddcoder/.oh-my-zsh
PAGER=less
LESS=-R
LC_CTYPE=en_GB.UTF-8
LSCOLORS=Gxfxcxdxbxegedabagacad
ANDROID_HOME=/opt/android/
OFFDROID=/home/oddcoder/projects/offdroid
NVM_DIR=/home/oddcoder/.nvm
NVM_CD_FLAGS=-q
NVM_NODEJS_ORG_MIRROR=https://nodejs.org/dist
NVM_IOJS_ORG_MIRROR=https://iojs.org/dist
MANPATH=/home/oddcoder/.nvm/versions/node/v7.2.1/share/man:/usr/local/share/man:/usr/share/man
NVM_PATH=/home/oddcoder/.nvm/versions/node/v7.2.1/lib/node
NVM_BIN=/home/oddcoder/.nvm/versions/node/v7.2.1/bin
_=/home/oddcoder/projects/ctf/forensics/FORE1/./code
./code
bemX
__vdso_clock_gettime
__vdso_gettimeofday
__vdso_time
__vdso_getcpu
linux-vdso.so.1
LINUX_2.6
Linux
AUATSL
[A\A]]
D;#u
[A\A]]
D9#u
AUATSH
[A\A]]
GCC: (GNU) 6.3.1 20161221 (Red Hat 6.3.1-1)
.shstrtab
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_d
.dynamic
.rodata
.note
.eh_frame_hdr
.eh_frame
.text
.altinstructions
.altinstr_replacement
.comment
.shstrtab
note0
load
cvqAeqacLtqazEigwiXobxrCrtuiTzahfFreqc{bnjrKwgk83kgd43j85ePgb_e_rwqr7fvbmHjklo3tews_hmkogooyf0vbnk0ii87Drfgh_n kiwutfb0ghk9ro987k5tfb_hjiouo087ptfcv}
BASE64 인코딩같은 (유독) 긴 문자열을 발견할 수 있다.
그런데 아니었다...
AeqacLtqazEigwiXobxrCrtuiTzahfFreqc{bnjrKwgk83kgd43j85ePgb_e_rwqr7fvbmHjklo3tews_hmkogooyf0vbnk0ii87Drfgh_n kiwutfb0ghk9ro987k5tfb_hjiouo087ptfcv}
보니까 대문자가 ALEXCTF를 완성하는 것을 확인할 수 있었고
이를 토대로 소문자를 없애보면..
ALEXCTF{K834385P__7H3_0087D_ 099875_087}
가 나오는데 영 플래그같이 생기진 않았다. 그나마 7H3가 THE로 확실히 leet를 활용했다는 단서를 알 수 있다.
또 다른 규칙성을 찾아보자면, AeqacLtqazEigwiXobxrCrtuiTzahfFreqc 가 4글자 간격으로 반복된다는 것이다
이를 토대로 노가다하거나 파이썬 코드를 작성하여 4번째 글자만 출력하도록 해보면...
string = 'bnjrKwgk83kgd43j85ePgb_e_rwqr7fvbmHjklo3tews_hmkogooyf0vbnk0ii87Drfgh_n kiwutfb0ghk9ro987k5tfb_hjiouo087ptfcv'
count=0
while True :
print(string[count], end='')
count+=5
if count >= len(string) :
breakK33P_7H3_g00D_w0rk_up 이 나온다.
ALEXCTF{K33P_7H3_g00D_w0rk_up}
추가적으로 가장 처음인 K를 찾을 때 b부터 시작해서 4개를 건너뛰어야 하는지 / 4개를 건너뛰고 K를 선택해야 하는지
애매하긴 한데, 둘 다 해보고 더 플래그같은 문자열을 제출하면 되겠다.
해당 문제로 얻을 수 있는 관점:
① 가장 기본적으로 strings 사용해보기
② 플래그 형식이 인코딩 되어 있을 수 있다.
③ 플래그 형식 { } 은 생각보다 많이 쓰이지 않는다. 주목해볼 것 - {.*} 로 검색
④ 인코딩 외 간단한 퍼즐 형식으로도 플래그를 얻을 수 있다. (가장 기본: 규칙성 찾기)
'FORENSIC > ctf-d' 카테고리의 다른 글
| [ctf-d] 저희는 디스크 이미지를 찾았습니다. :: else (carving) / Disk (0) | 2022.02.16 |
|---|---|
| [ctf-d] Tommy는 프로그램을 작성했습니다. :: Disk (strings) (0) | 2022.02.16 |
| [ctf-d] 플래그를 얻어라! :: steganography (0) | 2022.01.25 |
| [ctf-d] google :: else (PIL) (0) | 2022.01.25 |
| [ctf-d] Emma Watson :: else (PIL) (0) | 2022.01.19 |
