{"id":750,"date":"2023-03-31T23:33:23","date_gmt":"2023-03-31T14:33:23","guid":{"rendered":"https:\/\/emeth.jp\/diary\/?p=750"},"modified":"2024-08-10T14:38:38","modified_gmt":"2024-08-10T05:38:38","slug":"seccon-ctf-2022-finals-writeup","status":"publish","type":"post","link":"https:\/\/emeth.jp\/diary\/2023\/03\/seccon-ctf-2022-finals-writeup\/","title":{"rendered":"SECCON CTF 2022 Finals writeup"},"content":{"rendered":"\n

Domestic\u306e\u65b9\u306b\u3044\u305f\u3002
\u3044\u308d\u3044\u308d\u3042\u3063\u3066\u66f8\u3051\u3066\u306a\u304f\u3066\u4eca\u66f4\u611f\u3042\u308b\u3051\u3069\u3051\u3058\u3081\u3068\u3057\u3066\u3002<\/p>\n\n\n\n

\u30c1\u30fc\u30e0\u5185\u3067\u5206\u62c5\u3057\u3066\u3066\u3001\u79c1\u306fJeopardy\u62c5\u5f53\u3060\u3063\u305f\u306e\u3067King of the Hill\u306e\u65b9\u306f\u898b\u3066\u304a\u3089\u305a\u4f55\u3082\u308f\u304b\u3089\u306a\u3044\u3002
Jeopardy\u3067\u306f2\u554f\u89e3\u3044\u305f\u3002<\/p>\n\n\n\n\n\n\n\n

[reversing] whisky (100pt)<\/h2>\n\n\n\n
\n

Do you like whisky(\u203b\u672c\u756a\u3067\u306fURL\u304c\u30ea\u30f3\u30af\u3055\u308c\u3066\u305f)?
Read \/flag.txt to get the flag!<\/p>\n\n\n\n

backdoor_plugin.so 77a3acac658f6f5bba266bee6f7707d80959fab2<\/p>\n<\/blockquote>\n\n\n\n

\u30d5\u30a1\u30a4\u30eb\u306f\u4ee5\u4e0b\u304b\u3089\u3002<\/p>\n\n\n\n

\"\"<\/div>
GitHub<\/div><\/div>
\"\"<\/figure>
ptr-SECCON-CTF-2022-Finals\/reversing\/whisky at main \u00b7 ptr-yudai\/ptr-SECCON-CT...<\/div>
https:\/\/github.com\/ptr-yudai\/ptr-SECCON-CTF-2022-Finals\/tree\/main\/reversing\/whisky<\/div>
My challenges for SECCON CTF 2022 Finals. Contribute to ptr-yudai\/ptr-SECCON-CTF-2022-Finals development by creating an account on GitHub.<\/div><\/div>
<\/div><\/div><\/a><\/div><\/div>\n\n\n\n

\u554f\u984c\u6587\u306e\u30ea\u30f3\u30af\u5148\u306b\u884c\u304f\u3068Wikipedia\u306e\u30a6\u30a4\u30b9\u30ad\u30fc\u306e\u753b\u50cf\u304c\u8cbc\u3089\u308c\u3066\u3044\u308b\u3060\u3051\u3002<\/p>\n\n\n\n

\u914d\u5e03\u3055\u308c\u305f\u30d5\u30a1\u30a4\u30eb\u3092Ghidra\u3067\u8aad\u307f\u8fbc\u3093\u3067\u307f\u308b\u3068\u3001Exports\u306bbackdoor<\/code>\u3068\u3044\u3046\u95a2\u6570\u30b7\u30f3\u30dc\u30eb\u304c\u3042\u308b\u3002<\/p>\n\n\n

\n
\"\"<\/a><\/figure>\n<\/div>\n\n\n

backdoor<\/code>\u95a2\u6570\u306e\u4e2d\u8eab\u3092\u898b\u3066\u307f\u308b\u3068\u3001uwsgi_response_add_header<\/code>\u95a2\u6570\u3092\u547c\u3093\u3067\u3044\u308b\u3053\u3068\u304c\u308f\u304b\u308b\u3002<\/p>\n\n\n

\n
\"\"<\/a><\/figure>\n<\/div>\n\n\n

\u3069\u3046\u3084\u3089\u3053\u306e\u30d5\u30a1\u30a4\u30eb\u306fuWSGI<\/a>\u306e\u30d7\u30e9\u30b0\u30a4\u30f3\u30e2\u30b8\u30e5\u30fc\u30eb\u3089\u3057\u3044\u3053\u3068\u304c\u308f\u304b\u3063\u305f\u3002<\/p>\n\n\n\n

\u3055\u3066\u3001backdoor<\/code>\u95a2\u6570\u3067\u306fBackdoor<\/code>\u30d8\u30c3\u30c0\u3092\u8ffd\u52a0\u3057\u3066\u3044\u308b\u304c\u3001\u305d\u306e\u3088\u3046\u306a\u30d8\u30c3\u30c0\u306f\u5148\u306e\u30a6\u30a4\u30b9\u30ad\u30fc\u753b\u50cf\u304c\u8fd4\u3063\u3066\u304d\u305f\u3068\u304d\u306b\u306f\u3064\u3044\u3066\u3044\u306a\u3044\u3002
\u3068\u3044\u3046\u3053\u3068\u306f\u4f55\u3089\u304b\u306e\u6761\u4ef6\u3067\u3053\u306ebackdoor<\/code>\u95a2\u6570\u304c\u547c\u3070\u308c\u308b\u3068\u63a8\u6e2c\u3067\u304d\u308b\u305f\u3081\u3001\u305d\u306e\u6761\u4ef6\u3092\u89e3\u660e\u3057\u3066\u6e80\u305f\u3057\u3066\u3084\u308c\u3070\u3088\u3055\u305d\u3046\u3067\u3042\u308b\u3002
backdoor<\/code>\u95a2\u6570\u306e\u547c\u3073\u51fa\u3057\u5143\u3092\u63a2\u308b\u3068\u3001uwsgi_backdoor_request<\/code>\u95a2\u6570\u304b\u3089\u547c\u3070\u308c\u3066\u3044\u308b\u3002
Wikipedia\u306e\u30a6\u30a4\u30b9\u30ad\u30fc\u753b\u50cf\u3078\u306e\u53c2\u7167\u3082\u51fa\u529b\u3057\u3066\u3044\u308b\u3053\u3068\u3082\u3042\u308a\u3001\u3053\u306e\u95a2\u6570\u304c\u30ea\u30af\u30a8\u30b9\u30c8\u51e6\u7406\u3092\u884c\u3046\u30e1\u30a4\u30f3\u306e\u95a2\u6570\u3068\u601d\u308f\u308c\u308b\u3002<\/p>\n\n\n

\n
\"\"<\/a><\/figure>\n<\/div>\n\n\n

backdoor<\/code>\u95a2\u6570\u304c\u547c\u3070\u308c\u308b\u306b\u306f3\u3064\u306e\u6761\u4ef6\u3092\u6e80\u305f\u3059\u5fc5\u8981\u304c\u3042\u308b\u3002<\/p>\n\n\n\n

    \n
  1. HTTP_BACKDOOR<\/code>\u5909\u6570\u304c”enabled”\u3067\u3042\u308b\u3053\u3068<\/li>\n\n\n\n
  2. *(short *)(param_1 + 0x1d8)<\/code>\u304c0x10<\/code>\u3067\u3042\u308b\u3053\u3068<\/li>\n\n\n\n
  3. *(long *)(param_1 + 0xc0)<\/code>\u304c0<\/code>\u3067\u306a\u3044\u3053\u3068<\/li>\n<\/ol>\n\n\n\n

    2.\u30683.\u306f\u308f\u304b\u3089\u306a\u3044\u306e\u3067\u3072\u3068\u307e\u305a\u7f6e\u3044\u3066\u304a\u3044\u3066\u30011.\u306b\u3064\u3044\u3066\u8003\u3048\u308b\u3002
    HTTP_BACKDOOR<\/code>\u5909\u6570\u304c\u3069\u3053\u304b\u3089\u6765\u3066\u3044\u308b\u304b\u3002
    \u3053\u306e\u5909\u6570\u306e\u5024\u306fuwsgi_get_var<\/code>\u95a2\u6570\u3067\u53d6\u5f97\u3055\u308c\u3066\u3044\u308b\u304c\u3001\u3053\u306e\u95a2\u6570\u306b\u9650\u3089\u305auWSGI\u306e\u95a2\u6570\u306f\u30ea\u30d5\u30a1\u30ec\u30f3\u30b9\u304c\u7121\u3044\u3002
    \u4ed5\u65b9\u304c\u306a\u3044\u306e\u3067\u3050\u3050\u3063\u305f\u308a    uWSGI\u306eGitHub\u30ec\u30dd\u30b8\u30c8\u30ea<\/a>\u3092\u691c\u7d22\u3057\u305f\u308a\u3057\u3066\u3044\u308b\u3068\u3001HTTP_BACKDOOR<\/code>\u306b\u76f8\u5f53\u3059\u308b\u90e8\u5206\u306bREMOTE_ADDR<\/code>\u3068\u304bHTTP_COOKIE<\/code>\u3068\u304bSERVER_PORT<\/code>\u3068\u304b\u304c\u898b\u3048\u3066\u304f\u308b\u3002
    \u3042\u3042\u3001\u3053\u308c\u306fCGI\u306a\u3069\u3067\u306e\u74b0\u5883\u5909\u6570\u3068\u4e00\u7dd2\u3060\u306a\u3068\u308f\u304b\u308b\u306e\u3067\u30011.\u306e\u6761\u4ef6\u306f\u30ea\u30af\u30a8\u30b9\u30c8\u306bBACKDOOR<\/code>\u30d8\u30c3\u30c0\u3092\"enabled\"<\/code>\u3068\u3057\u3066\u30bb\u30c3\u30c8\u3059\u308c\u3070\u6e80\u305f\u305b\u308b\u3068\u308f\u304b\u3063\u305f\u3002<\/p>\n\n\n\n

    \u7d9a\u3044\u30662.\u30683.\u3092\u8003\u3048\u308b\u3002
    \u307e\u305aparam_1<\/code>\u306e\u578b\u306f\u3001uwsgi_get_var<\/code>\u95a2\u6570\u306e\u5ba3\u8a00\u306a\u3069\u304b\u3089struct wsgi_request *<\/code>\u3067\u3042\u308b\u3068\u308f\u304b\u308b\u3002
    wsgi_request\u306e\u30e1\u30f3\u30d0\u30fc\u306f    \u30bd\u30fc\u30b9\u30b3\u30fc\u30c9\u3092\u898b\u308c\u3070\u308f\u304b\u308b<\/a>\u3002
    \u30aa\u30d5\u30bb\u30c3\u30c8\u3092\u624b\u8a08\u7b97\u3067\u6c42\u3081\u3066\u3044\u304f\u3053\u3068\u3082\u3067\u304d\u308b\u304c\u6570\u304c\u591a\u304f\u3066\u7d76\u5bfe\u30df\u30b9\u3059\u308b\u81ea\u4fe1\u304c\u3042\u308b\u306e\u3067\u30d7\u30ed\u30b0\u30e9\u30e0\u3067\u3084\u3063\u305f\u3002<\/p>\n\n\n

    \n#define PRINTMEMBER(PARAM) printf("%04lx: %s\\n", (long)&r.PARAM - (long)&r, #PARAM)\n\nint main(int argc, char **argv) {\n    struct wsgi_request r;\n\n    PRINTMEMBER(fd);\n    PRINTMEMBER(uh);\n    PRINTMEMBER(app_id);\n    PRINTMEMBER(dynamic);\n    PRINTMEMBER(parsed);\n\n... snip ...\n<\/pre><\/div>\n\n\n
    \u6761\u4ef6\u5206\u5c90\u3068\u305d\u306e\u5f8c\u306b\u4f7f\u308f\u308c\u3066\u3044\u308b\u30aa\u30d5\u30bb\u30c3\u30c8\u306b\u5bfe\u5fdc\u3059\u308b\u30e1\u30f3\u30d0\u30fc\u3092\u629c\u304d\u51fa\u3059\u3002<\/p>\n\n\n
    \n00c0: uri\n00c8: uri_len\n01d0: authorization\n01d8: authorization_len\n<\/pre><\/div>\n\n\n
    \u4ee5\u4e0a\u3092\u8e0f\u307e\u3048\u3066\u6761\u4ef6\u3092\u66f8\u304d\u76f4\u3057\u305f\u3082\u306e\u304c\u3053\u3061\u3089\u3002<\/p>\n\n\n\n
      \n
    1. Backdoor<\/code>\u30d8\u30c3\u30c0\u304c\"enabled\"<\/code><\/li>\n\n\n\n
    2. Authorization<\/code>\u30d8\u30c3\u30c0\u304c16\u30d0\u30a4\u30c8\u306e\u6587\u5b57\u5217<\/li>\n\n\n\n
    3. \u30ea\u30af\u30a8\u30b9\u30c8\u306e\u30d1\u30b9\u90e8\u5206\u304c\u7a7a\u6587\u5b57\u5217\u3067\u306f\u306a\u3044<\/li>\n<\/ol>\n\n\n\n
      backdoor\u95a2\u6570\u306b\u623b\u3063\u3066\u4e2d\u8eab\u3092\u898b\u3066\u307f\u308b\u3002
      \u7b2c2\u5f15\u6570\u306b\u306f\u30ea\u30af\u30a8\u30b9\u30c8\u306e\u30d1\u30b9\u90e8\u5206\u3001\u7b2c3\u5f15\u6570\u306b\u306fAuthorization<\/code>\u30d8\u30c3\u30c0\u306e\u5024\u304c\u6e21\u3055\u308c\u308b\u3053\u3068\u3092\u8e0f\u307e\u3048\u3066\u8aad\u307f\u89e3\u3044\u3066\u3044\u304f\u3068\u3001\u300c\u30ea\u30af\u30a8\u30b9\u30c8\u306e\u30d1\u30b9\u90e8\u5206\u3067\u6307\u5b9a\u3055\u308c\u305f\u30d5\u30a1\u30a4\u30eb\u3092\u8aad\u307f\u8fbc\u307f\u3001Authorization<\/code>\u30d8\u30c3\u30c0\u306e\u3067\u6307\u5b9a\u3055\u308c\u305f\u5024\u3092\u9375\u3068\u3057\u3066AES-128-ECB<\/code>\u3067\u6697\u53f7\u5316\u3057\u305f\u7d50\u679c\u3092\u30ec\u30b9\u30dd\u30f3\u30b9\u306eBackdoor<\/code>\u30d8\u30c3\u30c0\u306bHex\u3067\u30bb\u30c3\u30c8\u3059\u308b\u300d\u3068\u308f\u304b\u308b\u3002<\/p>\n\n\n\n
      \u554f\u984c\u306f\/flag.txt\u3092\u8aad\u3080\u3053\u3068\u306a\u306e\u3067\u3001\u4ee5\u4e0b\u306e\u753b\u50cf\u306e\u3088\u3046\u306a\u30ea\u30af\u30a8\u30b9\u30c8\u3092\u9001\u308a\u30ec\u30b9\u30dd\u30f3\u30b9\u306eBackdoor\u30d8\u30c3\u30c0\u306e\u5024\u3092\u81ea\u5206\u3067\u6307\u5b9a\u3057\u305f\u9375\u3067\u5fa9\u53f7\u3057\u3066\u3084\u308c\u3070\u3088\u3044\u3002
      \u30d8\u30c3\u30c0\u3092\u3044\u3058\u3063\u3066\u9001\u4fe1\u3059\u308b\u306e\u306f\u7279\u5225\u306a\u30c4\u30fc\u30eb\u3092\u4f7f\u308f\u306a\u304f\u3066\u3082Firefox\u306e\u958b\u767a\u30c4\u30fc\u30eb\u3067\u3067\u304d\u308b\u3002<\/p>\n\n\n\n
      \"\"<\/a><\/figure>\n\n\n\n
      \"\"<\/a><\/figure>\n\n\n\n
      Flag: SECCON{Which_do_you_prefer:Whisky_Beer_Wine_Sake}<\/code><\/p>\n\n\n\n
      \u79c1\u306f\u65e5\u672c\u9152\u304c\u597d\u304d\u3067\u3059\u3002
      \u3061\u306a\u307f\u306b\u3053\u306e\u554f\u984c\u306fFirst blood\u53d6\u3063\u305f\u3002\u3046\u308c\u3057\u3044\u3002\u4ed6\u306e\u30c1\u30fc\u30e0\u306fKing of the Hill\u3068\u304b\u70b9\u6570\u9ad8\u3044\u554f\u984c\u3092\u53d6\u308a\u306b\u884c\u3063\u3066\u305f\u3060\u3051\u3060\u308d\u3002<\/s><\/p>\n\n\n\n
      [reversing] Paper House (250pt)<\/h2>\n\n\n\n
      \n
      The Professor has successfully leaked the schematic and firmware of the safebox in the Paper House.
      Can you crack the password to open the vault door?<\/p>\n\n\n\n
      The flag is SECCON{}.
      i.e. If “1->2->A->B” is the key, the flag is “SECCON{12AB}”.<\/p>\n\n\n\n
      paper_house.tar.gz 41aa3ec1be4eb7bcf338cdd7ed83e56c559827ab<\/p>\n<\/blockquote>\n\n\n\n
      \u4e0e\u3048\u3089\u308c\u305f\u306e\u306f\u56de\u8def\u56f3\u3068uf2\u30d5\u30a1\u30a4\u30eb\u3002<\/p>\n\n\n
      \n
      \"\"<\/a><\/figure>\n<\/div>\n\n\n
      \u56de\u8def\u56f3\u306e\u53f3\u5074\u306b\u3042\u308b\u306e\u304cRaspberry Pi Pico H\u3067\u3001uf2\u30d5\u30a1\u30a4\u30eb\u306f\u305d\u306e\u30d5\u30a1\u30fc\u30e0\u30a6\u30a7\u30a2\u3002
      Pico\u306eGPIO\u306b\u30ad\u30fc\u30de\u30c8\u30ea\u30af\u30b9\u65b9\u5f0f\u306e\u30ad\u30fc\u30d1\u30c3\u30c9\u3068\u30b9\u30d4\u30fc\u30ab\u30fc\u3068\u30c9\u30a2\u5236\u5fa1\u30b7\u30b9\u30c6\u30e0\u304c\u63a5\u7d9a\u3055\u308c\u3066\u3044\u308b\u3002
      \u554f\u984c\u6587\u304b\u3089\u63a8\u5bdf\u3059\u308b\u306b\u3001\u30ad\u30fc\u30d1\u30c3\u30c9\u3067\u30d1\u30b9\u30ef\u30fc\u30c9\u3092\u5165\u529b\u3057\u3001\u6b63\u89e3\u3060\u3068\u30c9\u30a2\u5236\u5fa1\u30b7\u30b9\u30c6\u30e0\u304c\u7a3c\u50cd\u3057\u3066\u30c9\u30a2\u304c\u958b\u304f\u4ed5\u7d44\u307f\u3002<\/p>\n\n\n\n
      \u306a\u3093\u3067\u3082\u77e5\u3063\u3066\u308bGoogle\u3055\u3093\u306b\u3088\u308a\u3001\u540c\u68b1\u306e\u30d5\u30a1\u30a4\u30ebsafe.uf2<\/code>\u306fRaspberry Pi Pico\u306e\u30d5\u30a1\u30fc\u30e0\u30a6\u30a7\u30a2\u30d5\u30a1\u30a4\u30eb\u3068\u5224\u660e\u3002
      uf2\u30d5\u30a1\u30a4\u30eb\u306e\u4ed5\u69d8\u306a\u3069\u306fMicrosoft\u304c      GitHub\u306e\u30ec\u30dd\u30b8\u30c8\u30ea<\/a>\u306b\u516c\u958b\u3057\u3066\u3044\u308b\u3002
      \u4ed5\u69d8\u3092\u8aad\u3080\u3068\u3001uf2\u30d5\u30a1\u30a4\u30eb\u306e\u4e2d\u306b\u306f\u30d5\u30a1\u30fc\u30e0\u30a6\u30a7\u30a2\u304c\u7d30\u5207\u308c\u306b\u306a\u3063\u3066\u5165\u3063\u3066\u3044\u308b\u3068\u306e\u3053\u3068\u3002
      \u30ec\u30dd\u30b8\u30c8\u30ea\u5185\u306euf2conv.py<\/code>\u3067\u4e2d\u306e\u30d5\u30a1\u30fc\u30e0\u30a6\u30a7\u30a2\u3092\u53d6\u308a\u51fa\u3059\u3053\u3068\u304c\u3067\u304d\u308b\u306e\u3067\u3001\u3053\u308c\u3092\u4f7f\u3063\u3066safe.uf2<\/code>\u304b\u3089safe.bin<\/code>\u3092\u53d6\u308a\u51fa\u3059\u3002
      \u307e\u305f\u3001uf2conv.py<\/code>\u3067uf2\u30d5\u30a1\u30a4\u30eb\u306e\u60c5\u5831\u3092\u78ba\u8a8d\u3059\u308b\u3053\u3068\u304c\u3067\u304d\u308b\u3002<\/p>\n\n\n
      \n$ python3 uf2conf.py -i safe.uf2\n--- UF2 File Header Info ---\nFamily ID is RP2040, hex value is 0xe48bff56\nTarget Address is 0x10000000\nAll block flag values consistent, 0x2000\n----------------------------\n<\/pre><\/div>\n\n\n
      RP2040\u306fRaspberry Pi Pico\u306eCPU\u3067\u3001ARM-Cortex\/32bit\/Little Endian\u3002\u3053\u308c\u3068\u30aa\u30d5\u30bb\u30c3\u30c8\u304c0x10000000<\/code>\u3067\u3042\u308b\u3053\u3068\u3092\u4f7f\u3063\u3066safe.bin<\/code>\u3092Ghidra\u3067\u8aad\u307f\u8fbc\u3080\u3002<\/p>\n\n\n
      \n
      \"\"<\/a><\/figure>\n<\/div>\n\n\n
      \u3053\u3053\u307e\u3067\u306f\u3088\u304b\u3063\u305f\u306e\u3060\u304c\u3001\u51fa\u3066\u304d\u305f\u30b3\u30fc\u30c9\u3092\u898b\u3066\u3082\u4f55\u304c\u4f55\u3084\u3089\u308f\u304b\u3089\u306a\u3044\u3002\u3069\u3053\u304c\u30e1\u30a4\u30f3\u30ed\u30b8\u30c3\u30af\u304b\u3082\u308f\u304b\u3089\u306a\u3044\u3002
      \u3053\u308c\u3092\u9811\u5f35\u3063\u3066\u8aad\u307f\u89e3\u3053\u3046\u3068\u3057\u305f\u308a\u3001\u4f55\u304b\u3082\u3063\u3068\u89e3\u8aad\u3057\u3084\u3059\u3044\u5f62\u5f0f\u306b\u5909\u63db\u3067\u304d\u305f\u308a\u3057\u306a\u3044\u304b\u8abf\u3079\u3066\u3044\u308b\u3046\u3061\u306b\u308f\u304b\u3089\u306a\u3044\u307e\u307e1\u65e5\u76ee\u304c\u7d42\u4e86\u3002<\/p>\n\n\n\n
      \u4eca\u5e74\u306eSECCON\u306e\u4f1a\u5834\u306f\u6d45\u8349\u6a4b\u3067\u3042\u308b\u3002
      \u6d45\u8349\u6a4b\u306f\u79cb\u8449\u539f\u304b\u3089\u4e00\u99c5\u3067\u3042\u308b\u3002
      \u884c\u304d\u306f\u79cb\u8449\u539f\u304b\u3089\u6b69\u3044\u3066\u304d\u3066\u3001\u5e30\u308a\u306f\u79cb\u8449\u539f\u307e\u3067\u6b69\u3044\u3066\u96fb\u8eca\u306b\u4e57\u3063\u3066\u5e30\u308b\u306e\u3067\u3042\u308b\u3002
      \u79cb\u8449\u539f\u3068\u3044\u3048\u3070\u79cb\u6708\u304c\u3042\u308b\u306e\u3067\u3042\u308b\u3002
      \u3068\u3044\u3046\u308f\u3051\u3067\u3002<\/p>\n\n\n
      \n
      \"\"<\/a><\/figure>\n<\/div>\n\n\n
      \u5e30\u308a\u306b\u79cb\u6708\u306b\u3088\u3063\u3066\u8cb7\u3063\u3066\u304d\u307e\u3057\u305fRaspberry Pi Pico\u3002
      Getting started with Raspberry Pi Pico<\/a>\u3092\u898b\u3064\u3064\u30b5\u30f3\u30d7\u30eb\u3092\u30d3\u30eb\u30c9\u3057\u3066blink\u3092\u52d5\u304b\u3057\u3066L\u30c1\u30ab\u3057\u3066\u307f\u305f\u3042\u305f\u308a\u3067\u3001\u300c\u30b5\u30f3\u30d7\u30eb\u306e\u30b3\u30fc\u30c9\u3068\u30d0\u30a4\u30ca\u30ea\u3092\u898b\u6bd4\u3079\u308c\u3070\u30d0\u30a4\u30ca\u30ea\u8aad\u307f\u89e3\u3051\u308b\u304b\u3082\u300d\u3068\u6c17\u3065\u304f\u3002<\/p>\n\n\n
      \n
      \"\"<\/a><\/figure>\n<\/div>\n\n\n
      \u30b5\u30f3\u30d7\u30eb\u3092\u30d3\u30eb\u30c9\u3057\u305f\u3053\u3068\u306b\u3088\u308a\u3001C\u306e\u30bd\u30fc\u30b9\u30b3\u30fc\u30c9\u3068\u305d\u308c\u3092\u30b3\u30f3\u30d1\u30a4\u30eb\u30fb\u30ea\u30f3\u30af\u3057\u305fELF\u30d5\u30a1\u30a4\u30eb\u3001\u30d5\u30a1\u30fc\u30e0\u30a6\u30a7\u30a2\u306e\u30d0\u30a4\u30ca\u30ea\u30d5\u30a1\u30a4\u30eb\u304c\u624b\u5143\u306b\u3042\u308b\u3053\u3068\u306b\u306a\u308a\u3001\u305d\u308c\u305e\u308c\u3092\u898b\u6bd4\u3079\u308b\u3053\u3068\u3067\u30d0\u30a4\u30ca\u30ea\u306e\u3069\u306e\u90e8\u5206\u304c\u4f55\u3092\u3057\u3066\u3044\u308b\u304b\u3092\u8aad\u307f\u89e3\u3051\u308b\u3088\u3046\u306b\u306a\u3063\u305f\u3002
      \u3053\u308c\u3092\u8db3\u639b\u304b\u308a\u306b\u8abf\u3079\u3066\u3044\u304f\u3068safe.bin<\/code>\u306e\u4e2d\u8eab\u304c\u5927\u4f53\u8aad\u3081\u308b\u3088\u3046\u306b\u306a\u3063\u305f\u3002<\/p>\n\n\n\n
      \u4f7f\u308f\u308c\u3066\u3044\u308b\u30ad\u30fc\u30d1\u30c3\u30c9\u306f\u3053\u308c<\/a>\u3060\u304c\u3001\u79cb\u6708\u306b\u306f\u5728\u5eab\u304c\u306a\u304b\u3063\u305f\u3002
      \u79cb\u6708\u306e\u30b5\u30a4\u30c8\u306b\u56de\u8def\u56f3\u304c\u3042\u308b\u306e\u3067\u898b\u3066\u307f\u308b\u3068\u3001\u30ad\u30fc\u30de\u30c8\u30ea\u30af\u30b9\u30b9\u30a4\u30c3\u30c1\u306b\u306a\u3063\u3066\u3044\u308b\u3002<\/p>\n\n\n
      \n
      \"\"<\/a><\/figure>\n<\/div>\n\n\n
      COL\u30921\u672c0\u306b\u3057\u3066ROW\u3092\u8aad\u3080\u3001\u30670\u306b\u3057\u305f\u5217\u306e\u3069\u306e\u30b9\u30a4\u30c3\u30c1\u304cOn\u306b\u306a\u3063\u3066\u308b\u304b\u304c\u308f\u304b\u308b\u4ed5\u7d44\u307f\u3002
      \u3053\u308c\u3092\u5168\u90e8\u306eCOL\u3067\u9806\u756a\u306b\u3084\u308b\u3053\u3068\u3067\u5168\u90e8\u306e\u30b9\u30a4\u30c3\u30c1\u306e\u72b6\u614b\u3092\u53d6\u5f97\u3059\u308b\u3002<\/p>\n\n\n\n
      [\u632f\u308a\u8fd4\u308a\u6642\u306e\u6c17\u3065\u304d]
      \u2026\u306f\u305a\u306a\u3093\u3060\u3051\u3069\u3001\u305d\u306e\u3088\u3046\u306a\u30b3\u30fc\u30c9\u304c\u898b\u5f53\u305f\u3089\u306a\u3044\u3002
      \u3061\u3083\u3093\u3068\u52d5\u304f\u3093\u3060\u308d\u3046\u304b\u3053\u308c\u3002
      \u5f53\u65e5\u306f\u305d\u3053\u307e\u3067\u8aad\u307f\u8fbc\u307e\u305a\u3001\u300c\u3053\u306e\u95a2\u6570\u3067\u30b9\u30a4\u30c3\u30c1\u306e\u72b6\u614b\u53d6\u3063\u3066\u308b\u3093\u3060\u308d\u3046\u300d\u3068\u3044\u3046\u63a8\u6e2c\u3067\u52d5\u3044\u3066\u305f\u306e\u3067\u307e\u3063\u305f\u304f\u6c17\u3065\u3044\u3066\u306a\u304b\u3063\u305f\u3002
      [\/\u632f\u308a\u8fd4\u308a\u6642\u306e\u6c17\u3065\u304d]<\/p>\n\n\n\n
      \u5165\u529b\u30ad\u30fc\u304c\u5185\u90e8\u306e\u5024(0x0<\/code>\uff5e0xF<\/code>)\u3068\u4e00\u81f4\u3057\u3066\u306a\u304f\u3066\u3001\u30b7\u30e3\u30c3\u30d5\u30eb\u3055\u308c\u3066\u3044\u308b\u3053\u3068\u3001\u5165\u529b\u5217\u306e\u30c1\u30a7\u30c3\u30af\u304c\u5358\u7d14\u306a\u6bd4\u8f03\u3067\u306f\u306a\u304f\u3061\u3087\u3063\u3068\u51e6\u7406\u304c\u52a0\u308f\u3063\u3066\u3044\u308b\u3053\u3068\u306b\u6c17\u3092\u3064\u3051\u3066\u6b63\u89e3\u3068\u306a\u308b\u5165\u529b\u5217\u3092\u6c42\u3081\u308b\u306886EDAB934986A125<\/code>\u3068\u306a\u308b\u3002<\/p>\n\n\n\n
      Flag: SECCON{86EDAB934986A125}<\/code><\/p>\n\n\n\n
      [misc] Sniffer 1 (200pt), Sniffer 2 (100pt)<\/h2>\n\n\n
      \n
      \"\"<\/a><\/figure>\n<\/div>\n\n\n
      PC 2\u53f0\u304c\u901a\u4fe1\u3057\u3066\u304a\u308a\u3001\u9593\u306e\u30b1\u30fc\u30d6\u30eb\u306b\u3060\u3051\u30a2\u30af\u30bb\u30b9\u3067\u304d\u308b\u72b6\u614b\u3067\u901a\u4fe1\u5185\u5bb9\u3092\u8aad\u307f\u53d6\u308b\u5b9f\u6a5f\u30c1\u30e3\u30ec\u30f3\u30b8\u3002
      \u63d0\u4f9b\u3055\u308c\u308b\u6a5f\u6750\u306f\u30b9\u30a4\u30c3\u30c1\u3068\u304b\u3057\u3081\u5668\u3068RJ45\u30b3\u30cd\u30af\u30bf\u3002
      \u3068\u3044\u3046\u3053\u3068\u3067\u3001\u30b1\u30fc\u30d6\u30eb\u3092\u3076\u3063\u305f\u5207\u3063\u3066RJ45\u30b3\u30cd\u30af\u30bf\u53d6\u308a\u4ed8\u3051\u3066Bob\u306b\u306a\u308a\u3059\u307e\u305b\u3070OK\uff01
      \u306a\u3093\u3060\u3051\u3069\u3001\u5f53\u65e5\u306f\u30b3\u30cd\u30af\u30bf\u306f\u554f\u984c\u306a\u304f\u53d6\u308a\u4ed8\u3051\u3066ping\u306f\u901a\u3063\u305f\u306e\u306b\u3001\u306a\u3093\u304bVM\u304b\u3089\u901a\u4fe1\u304c\u3067\u304d\u306a\u304f\u3066\u7a81\u7834\u3067\u304d\u305a\u2026
      \u30d6\u30ea\u30c3\u30b8\u3055\u305b\u308bNIC\u306e\u8a2d\u5b9a\u9593\u9055\u3048\u3066\u3044\u305f\u8aac\u304c\u3042\u308a\u3001\u3068\u3066\u3082\u6094\u3057\u3044\u3002
      \u3057\u304b\u3057\u3001\u3053\u306e\u3088\u3046\u306a\u5b9f\u6a5f\u30c1\u30e3\u30ec\u30f3\u30b8\u306f\u30aa\u30f3\u30e9\u30a4\u30f3\u306eCTF\u3067\u306f\u3067\u304d\u306a\u3044\u3082\u306e\u3067\u3042\u308a\u3001\u65b0\u9bae\u3067\u3068\u3066\u3082\u826f\u304b\u3063\u305f\u3002
      \u9858\u308f\u304f\u3070\u4eca\u5f8c\u3082\u540c\u69d8\u306e\u53d6\u308a\u7d44\u307f\u304c\u7d9a\u304d\u307e\u3059\u3088\u3046\u3002
      <\/p>\n","protected":false},"excerpt":{"rendered":"
      Domestic\u306e\u65b9\u306b\u3044\u305f\u3002\u3044\u308d\u3044\u308d\u3042\u3063\u3066\u66f8\u3051\u3066\u306a\u304f\u3066\u4eca\u66f4\u611f\u3042\u308b\u3051\u3069\u3051\u3058\u3081\u3068\u3057\u3066\u3002 \u30c1\u30fc\u30e0\u5185\u3067\u5206\u62c5\u3057\u3066\u3066\u3001\u79c1\u306fJeopardy\u62c5\u5f53\u3060\u3063\u305f\u306e\u3067King of the Hill\u306e\u65b9\u306f\u898b\u3066\u304a\u3089\u305a\u4f55\u3082\u308f\u304b\u3089\u306a\u3044\u3002Jeopardy […]<\/p>\n","protected":false},"author":1,"featured_media":751,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"cybocfi_hide_featured_image":"","footnotes":""},"categories":[14],"tags":[8],"class_list":["post-750","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ctf","tag-ctf"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/emeth.jp\/diary\/wp-json\/wp\/v2\/posts\/750","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/emeth.jp\/diary\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/emeth.jp\/diary\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/emeth.jp\/diary\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/emeth.jp\/diary\/wp-json\/wp\/v2\/comments?post=750"}],"version-history":[{"count":15,"href":"https:\/\/emeth.jp\/diary\/wp-json\/wp\/v2\/posts\/750\/revisions"}],"predecessor-version":[{"id":808,"href":"https:\/\/emeth.jp\/diary\/wp-json\/wp\/v2\/posts\/750\/revisions\/808"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/emeth.jp\/diary\/wp-json\/wp\/v2\/media\/751"}],"wp:attachment":[{"href":"https:\/\/emeth.jp\/diary\/wp-json\/wp\/v2\/media?parent=750"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/emeth.jp\/diary\/wp-json\/wp\/v2\/categories?post=750"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/emeth.jp\/diary\/wp-json\/wp\/v2\/tags?post=750"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}