Subscribed unsubscribe Subscribe Subscribe

LabyREnth CTF (Unix)

1. はじめに

LabyREnth CTF - くじらとたぬきと同じ.

 

2. writeup

Perl (Unix Lv1)

 zipを解凍する(Pass : infected)とbowie.plが出てくる. 

 

 (一部抜粋)

my $input = ;
$input = trim($input);
if ($input eq (chr(5156 - 5035) . chr(-4615 - -4716) . chr(3162 - 3047))) {
 $a = $a . MIME::Base64::decode("R0lGODlh2AEoA+f/ABQPDQ8RDxITGyASFBQVHBQWExcVGBsUGBkVFB8TGRwWEB4UHhEYHhQYGhgYEBYYFhgYHxgaFxcbHRwaHSAZHB4aGSYYHhocGh0dFiEcFiAbJScbFx0eHBcgHhweJhsgFxYgJyQhISEiICMiGychGyggIikoJykpIi0oIiwpLiYsJiMsMCgqOCwsIDQpJzgpITspGjIrITItGzAvLTIvKTs0MTU2MU4xIFUxFEo1Hjk3Pkg1JjA6Pzo5LUI3LkA5J0I7Nzw9Nz5FPkZDPl0/LGU/KUJGTU9GL0hHOlhELlREPE5GO01HNlJFQldFOGJEI0ZNRU5LRYFBI3ZJJ1VSTXdMM2hRPHJQKnBQMGxRNVBXUGVSRFpVSVBWXVxVRGBVO2BTT2NTSlxZU5BTO4RaRIhaOnhfSnxfQ3RgUn9fPoJfOG9hXXBjSXNhWGtkUmdkX2pkWF9nX6BaOV5semZrb5VkO6FhO6FiSpdoSYBuZY1tS5BtRIhuWH9xVoxuUXpyYIRvYXlyZn5wbHRzbbJyVql3VqF7Tat4Tpt7YZR8cp98Wo9/b6B9VX+DgIyAeHSFjpGAa5WAYYSDd4iBgbqHYbCMY66MbKCOhqKPebONXaWRY5OSkKSQcpqSgJeSiaqRa4iWoZKirLudd8yZccKccbCelbagcLiegaaimLKgiqOjobOigKujkMqefsujbNGrf8uujcGvpMOxjruyn8KxmbezqciygbiysrG4tbrCvcS/vrjExea8j+C8odXBpNPAtsjEuczEsNvCmc3Fpea/muDElMLLxszIzr/MzcnKx8fMzs3SzsHV3snU1ejSqPPOsOPRxufStt7Vtd7Uy9bXy9nV2N7WwdHc3tjb2OPj4eTk19/k5/fittnm5/vgxOrm0fHlx/Pk0fDm3fDq6unt6eLv8Ozu4ufu9Oj19uv0/P7y5On46/D1+PD37Pj17P322O748/X28+v5+fv66P/3/fb7/vX98f/6+fD+/vr8+fX/+v799P/8//n+//3//P///yH+CEVudHJldnVlACH5BAEKAP8ALAAAAADYASgDAAj+AM21G0hQIMGDCBMqHGivob2DDiNKnMhw4kOCESs2HKjPosePICfqG0mypMmTJv35I7mvpct9Kv29VImypr58OHPijMmzp8+f+3TeG3ov38t57ty1pMnypbt8MfvFtDevasuh/vLFg5o1a75+/OrVk/qzrNmzaNOqXctWrc23cOPKLck0n9i7dw0e1Luw78KMGENSbOcRokONFwUrXtxwblym+l66jDlzpWOdOtuaDeqVKFeX9iTvK2nU5VOu/cg2tLpvaE6VXFH3G6u5tu3buGs73s0bbl28eP0KH274IuLFxS0mBMy4OcjeckXDlCnZ8lzMr3PHhHrPn2vK0rv++osHL17S81uhpla5j+q8fe6GjotNfzs/rtrz69+fFrp/m9hltp1dwIlF3IHCbZScYgh9tNxhxzkn4X9vSWfhaJcFmN9rOBXVk2g9xSOiiOe5s5U//JDVnlXxjUNOPF5lJeJOWfHD34044kjhjiQFKGBOBRqI4JDEQdiXkQsqmFySEjLmGDxQRhnlSfBcKN1uPuq3E1T4wQafUtPlc5M+UZKIHlQpsudeUuOMI855MMVDzosn5mjnnbnxuBs8VPoYYJBi8TWQoEQiqGSCf0n04KFNNrmnlJCWBKWVX7qEpYZ45mQemDmVB08+ULpDjjmkmhPfPTaqWRVS4rRqzpv+SWmDzZx14mnrrf3pOReUkn7qJ2aA1kPqXgYRWuixyCKm7HERNirSk5BK2SulSVmaIXZlZcmWTiOWaKKJ5YlITjbalGtqUfzwU1RLq6rT6jTaiOOuNtRQY86LXeKqr1o08tSvW7qeFGB63I5o8IzAAjpsQQKVmuzDCh2aKGDNJubsR3xCGy2vJE16YYktXYrtT9r6lNNI2JFoHqkliktOufXWq825KK676jzquAuNNTmLAwwwyZj61L5Ep5XdgH6WFbBJPhKs6cEGYxfswoOWarWxEGd9rKKLftSxtNGSqfHGvW6cMYW/jmwyfVyRCY9SWsFX7jTU6FJLJ6jUAoz+OeoI7Q699QJTi73uiEPUPqt+o7g41gTD8zfBsPJLvEl1uF++/xa94dEDLk1a2joVyA479YzOTmqlK8zX1VZr7frDXDcY0khh184xXGbf7rbZPIIuoMmw6SSaO+pQI3gsqCTfySLMQ9LJ4DjPY069jQcTzDc5w5n4N+GEY0004Hg/i+TZK/WUh9phnq/muf3eueco+46T6KSPPtZsU6/OOtWv93/gYLKTGEF4Zzvd1SR3Z9sd2XYkv8ytbSdgQpw2BNeJTpQiFrX4xS9ikQpasAISf/jDImZhDe55zxrW8MUwpBGOnLmwKu8AB/ii4YsZ0qKDJSwf3DDVFvWx73L+nAse/FAWLPoBinSoy1+x9sc//znRL7FjkkQQSEXcIZB2V2RgA82CGfZUZYKsYEUnUjGLXwQDGmiMBS184QtaYAISkBihL7oXjTr6QhY17J44uhcOcIBDGtKwoy8AuQpO0AKFruJUydbiwx8ajYdecSBOeGRAfcSjiMCxX7CSqDomXu2JoIQixXiHEg==");

  このように入力を受け入れ一致すればbase64でdecodeを行うという処理を繰り返す.

eval MIME::Base64::decode("...省略...");

 普通にbase64でdecodeを繰り返す中でevalで実行するスクリプトが紛れている. これをbase64でdecodeを行うとまた同じことが行われる. ここで正規表現を用いてbase64の部分を抽出して, eval毎にファイルに分割するプログラムをsep_eval.py, それらをdecodeして合成するプログラムをsolve_perl.pyとした.


 これを実行するとgifが出てくる.

f:id:kmdnet:20160820112458p:plain

 

FLAG : PAN{L3ts_533_h0W_U_deal_w_th1s_little_511CE}

 

kmdnet