SECCON 2017 online CTF の問題がGitHubで公開されたので、これを後追いでやってみた記事になります。
後追い記事の一覧はこちら
SECCON 2017 online CTF を後追いでみっちりやってみよう!
問題
Powerful_Shell Crack me. powerful_shell.ps1-1fb3af91eafdbebf3b3efa3b84fcc10cfca21ab53db15c98797b500c739b0024
powerful_shell.ps1-1... はバイナリ
事前調査
Binary(完全に専門外)ということで本番中は全く手を付けなかったが、多くのグループが解けていたよう。
さらに、タイトルからPower shell
が絡んでいそう。先にちょっとpower shellを調べてみる。
要はwindowsのコマンドプロンプトの進化版のような感じらしい。LinuxやOSXのterminalみたいなもの。
スクリプトの実行もできるらしい。
$a = Get-ChildItem C:\Scripts $a
このスクリプトの 1 行目では、Get-ChildItem を使用して、C:\Scripts フォルダーに格納されているすべてのファイルとフォルダーのコレクションを取得しています。このコレクションは $a 変数に格納されます。2 行目では、$a の値を表示しているだけです。
こんな感じで変数を扱うようだ。
それではまずはいつものfile
コマンドを。
$ file powerful_shell.ps1-1fb3af91eafdbebf3b3efa3b84fcc10cfca21ab53db15c98797b500c739b0024 powerful_shell.ps1-1fb3af91eafdbebf3b3efa3b84fcc10cfca21ab53db15c98797b500c739b0024: ASCII text
ASCII textだと。
中身を覗いてみる
$ECCON=""; $ECCON+=[char](3783/291); $ECCON+=[char](6690/669); $ECCON+=[char](776-740); $ECCON+=[char](381-312); $ECCON+=[char](403-289); $ECCON+=[char](-301+415); $ECCON+=[char](143-32); $ECCON+=[char](93594/821); $ECCON+=[char](626-561); $ECCON+=[char](86427/873); $ECCON+=[char](112752/972); $ECCON+=[char](43680/416); $ECCON+=[char](95127/857); $ECCON+=[char](-682+792); $ECCON+=[char](-230+310); $ECCON+=[char](-732+846); $ECCON+=[char](1027-926); $ECCON+=[char](94044/922); $ECCON+=[char](898-797); $ECCON+=[char](976-862); $ECCON+=[char](52419/519); $ECCON+=[char](1430/13); .....(続く)
コマンドの雰囲気からもPowerShellっぽい。問題のタイトル大事。
しかしなんかめっちゃ長い。ぱっと見た感じ、ECCON
変数に一行につき1文字ずつ追加しているように見えるが、その文字列がflagだとすると長すぎる・・・。
$ wc -l powerful_shell.ps1-1fb3af91eafdbebf3b3efa3b84fcc10cfca21ab53db15c98797b500c739b0024 20546 powerful_shell.ps1-1fb3af91eafdbebf3b3efa3b84fcc10cfca21ab53db15c98797b500c739b0024
20546行もあるらしい。
基本的に、$ECCON+=[char](数式)
のフォーマットらしい。
Write-Progress -Activity "Extracting Script" -status "40" -percentComplete 0;
時々こんな感じのが現れる。最後はこんな感じ。
Write-Progress -Completed -Activity "Extracting Script";.([ScriptBlock]::Create($ECCON))
Extracting Scriptが完了ということで、$ECCON変数に入ってくる文字列がScriptになっているようだ。
解法
まずはMac環境にPowerShellをinstall。下記を参考に。
- Qiita: macOSにPowerShellをインストール、ついでに外部パッケージ(AWSPowershell.NetCore)もインストール
- rcmdnk's blog: PowerShellがオープンソース化しMacやLinuxでも使える様になった
上の方のやり方だとうまく入らなかったので、早々に諦めて下のリンクの方のpkgからinstallすることに。
installするとアプリケーションにPowerShellが追加された。これを実行するとpowershellのコンソールが立ち上がる。
早速与えられたバイナリをpowershellのps1
形式にリネームして実行してみる。
PowerfullShell> ./powerful_shell.ps1-1fb3af91eafdbebf3b3efa3b84fcc10cfca21ab53db15c98797b500c739b0024.ps1
と、The Unicode escape sequence is not valid.
Errorが幾つか。
1:15113 char:42 + If(Test-Path variable:global:psISE){"D`eb`u`g`g`in`g is `pr`o`h`ib`it ... + ~~ The Unicode escape sequence is not valid. A valid sequence is `u{ followed by one to six hex digits and a closing '}'.
上記Errorが現れた行、ただのDebug防止用の行のようなので削除して再度実行。 おお、なんか出た!エラーも出ているが致命的ではなさそうなので無視。ただし、最後
Checking Host... Please wait...Failed: No admin rights!
ふむ?何をどうチェックしているかわからないが(Hostと言ってはいる)admin権限がないらしい。
Hostがどうのということは、スクリプトの実行権限なんかの問題ではなさそうなので、何をどうチェックしているかを知る必要がありそう。
ということで、まず最初のバイナリからスクリプトを読めるようにして取り出すことに。
pythonでこんな感じ。力技。
#!/usr/bin/env python3 import re import math PREFIX_CHARSET = "$ECCON" MATH_REGIX = "\$ECCON\+\=\[char\]\((.+)\);" pattern = re.compile(r"%s"%MATH_REGIX) script = "" with open('powerful_shell.ps1-1fb3af91eafdbebf3b3efa3b84fcc10cfca21ab53db15c98797b500c739b0024', 'r') as f: line = f.readline() while line: match = pattern.search(line) if match: math_str = match.group(1) if "Math" in math_str: math_str = math_str.replace("[Math]::","") math_str = math_str.replace("[int]","") math_str = math_str.replace("sqrt","math.sqrt") math_str = math_str.replace(";","") i = eval(math_str) script += chr(int(i)) else: print("Process: "+ line) line = f.readline() with open('output', 'w') as f: f.write(script)
これを実行するとoutput
が出てきました。
$ErrorActionPreference = "ContinueSilently" [console]::BackgroundColor = "black";[console]::ForegroundColor = "white";cls;Set-Alias -Name x -Value Write-Host;$host.UI.RawUI.BufferSize = New-Object System.Management.Automation.Host.Size 95,25;$host.UI.RawUI.WindowSize = New-Object System.Management.Automation.Host.Size 95,25;$host.UI.RawUI.BufferSize = New-Object System.Management.Automation.Host.Size 95,25;$host.UI.RawUI.WindowSize = New-Object System.Management.Automation.Host.Size 95,25;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x;x ' ' -b 15 -n;x ' ' -b 12 -n;x ' ' -b 12 -n;x ' ' -b 12 -n;x ' ' -b 12 -n;x ' ' -b 12 -n;x ' ' -b 12 -n;x ' ' -b 12 -n;x ' ' -b 12 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x;x ' ' -b 15 -n;x ' ' -b 12 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 12 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x;x ' ' -b 15 -n;x ' ' -b 12 -n;x ' ' -b 15 -n;x ' ' -b 12 -n;x ' ' -b 12 -n;x ' ' -b 12 -n;x ' ' -b 12 -n;x ' ' -b 12 -n;x ' ' -b 12 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x;x ' ' -b 15 -n;x ' ' -b 12 -n;x ' ' -b 15 -n;x ' ' -b 12 -n;x ' ' -b 12 -n;x ' ' -b 12 -n;x ' ' -b 12 -n;x ' ' -b 12 -n;x ' ' -b 12 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x;x ' ' -b 15 -n;x ' ' -b 12 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 12 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x;x ' ' -b 15 -n;x ' ' -b 12 -n;x ' ' -b 12 -n;x ' ' -b 12 -n;x ' ' -b 12 -n;x ' ' -b 12 -n;x ' ' -b 12 -n;x ' ' -b 15 -n;x ' ' -b 12 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x;x ' ' -b 15 -n;x ' ' -b 12 -n;x ' ' -b 12 -n;x ' ' -b 12 -n;x ' ' -b 12 -n;x ' ' -b 12 -n;x ' ' -b 12 -n;x ' ' -b 15 -n;x ' ' -b 12 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x;x ' ' -b 15 -n;x ' ' -b 12 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 12 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x;x ' ' -b 15 -n;x ' ' -b 12 -n;x ' ' -b 12 -n;x ' ' -b 12 -n;x ' ' -b 12 -n;x ' ' -b 12 -n;x ' ' -b 12 -n;x ' ' -b 12 -n;x ' ' -b 12 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x;x; <# Host Check #> Write-Host -b 00 -f 15 Checking Host... Please wait... -n Try{ If ((Get-EventLog -LogName Security | Where EventID -Eq 4624).Length -Lt 1000) { Write-Host "This host is too fresh!" Exit } }Catch{ Write-Host "Failed: No admin rights!" Exit } Write-Host "Check passed" $keytone=@{'a'=261.63} $pk='a' ForEach($k in ('w','s','e','d','f','t','g','y','h','u','j','k')){ $keytone+=@{$k=$keytone[$pk]*[math]::pow(2,1/12)};$pk=$k } Write-Host -b 00 -f 15 "Play the secret melody." Write-Host -b 15 -f 00 -n ' ' Write-Host -b 00 -f 15 -n ' ' Write-Host -b 15 -f 00 -n ' ' Write-Host -b 00 -f 15 -n ' ' Write-Host -b 15 -f 00 -n ' | ' Write-Host -b 00 -f 15 -n ' ' Write-Host -b 15 -f 00 -n ' ' Write-Host -b 00 -f 15 -n ' ' Write-Host -b 15 -f 00 -n ' ' Write-Host -b 00 -f 15 -n ' ' Write-Host -b 15 -f 00 ' | ' Write-Host -b 15 -f 00 -n ' ' Write-Host -b 00 -f 15 -n ' ' Write-Host -b 15 -f 00 -n ' ' Write-Host -b 00 -f 15 -n ' ' Write-Host -b 15 -f 00 -n ' | ' Write-Host -b 00 -f 15 -n ' ' Write-Host -b 15 -f 00 -n ' ' Write-Host -b 00 -f 15 -n ' ' Write-Host -b 15 -f 00 -n ' ' Write-Host -b 00 -f 15 -n ' ' Write-Host -b 15 -f 00 ' | ' Write-Host -b 15 -f 00 -n ' ' Write-Host -b 00 -f 15 -n ' w ' Write-Host -b 15 -f 00 -n ' ' Write-Host -b 00 -f 15 -n ' e ' Write-Host -b 15 -f 00 -n ' | ' Write-Host -b 00 -f 15 -n ' t ' Write-Host -b 15 -f 00 -n ' ' Write-Host -b 00 -f 15 -n ' y ' Write-Host -b 15 -f 00 -n ' ' Write-Host -b 00 -f 15 -n ' u ' Write-Host -b 15 -f 00 ' | ' Write-Host -b 15 -f 00 -n ' |' Write-Host -b 15 -f 00 -n ' |' Write-Host -b 15 -f 00 -n ' |' Write-Host -b 15 -f 00 -n ' |' Write-Host -b 15 -f 00 -n ' |' Write-Host -b 15 -f 00 -n ' |' Write-Host -b 15 -f 00 -n ' |' Write-Host -b 15 -f 00 ' ' Write-Host -b 15 -f 00 -n ' a |' Write-Host -b 15 -f 00 -n ' s |' Write-Host -b 15 -f 00 -n ' d |' Write-Host -b 15 -f 00 -n ' f |' Write-Host -b 15 -f 00 -n ' g |' Write-Host -b 15 -f 00 -n ' h |' Write-Host -b 15 -f 00 -n ' j |' Write-Host -b 15 -f 00 ' k ' Write-Host -b 15 -f 00 -n ' |' Write-Host -b 15 -f 00 -n ' |' Write-Host -b 15 -f 00 -n ' |' Write-Host -b 15 -f 00 -n ' |' Write-Host -b 15 -f 00 -n ' |' Write-Host -b 15 -f 00 -n ' |' Write-Host -b 15 -f 00 -n ' |' Write-Host -b 15 -f 00 ' ' Write-Host $stage1=@();$f=""; While($stage1.length -lt 14){ $key=(Get-Host).ui.RawUI.ReadKey("NoEcho,IncludeKeyDown") $k=[String]$key.Character $f+=$k; If($keytone.Contains($k)){ $stage1+=[math]::floor($keytone[$k]) [console]::beep($keytone[$k],500) } } $secret=@(440,440,493,440,440,493,440,493,523,493,440,493,440,349) If($secret.length -eq $stage1.length){ For ($i=1; $i -le $secret.length; $i++) { If($secret[$i] -ne $stage1[$i]){ Exit } } x "Correct. Move to the next stage." } $text=@" YkwRUxVXQ05DQ1NOE1sVVU4TUxdTThBBFVdDTUwTURVTThMqFldDQUwdUxVRTBNEFVdAQUwRUxtT TBEzFVdDQU8RUxdTbEwTNxVVQUNOEFEVUUwdQBVXQ0NOE1EWUUwRQRtVQ0FME1EVUU8RThdVTUNM EVMVUUwRFxdVQUNCE1MXU2JOE0gWV0oxSk1KTEIoExdBSDBOE0MVO0NKTkAoERVDSTFKThNNFUwR FBVINUFJTkAqExtBSjFKTBEoF08RVRdKO0NKTldKMUwRQBc1QUo7SlNgTBNRFVdJSEZCSkJAKBEV QUgzSE8RQxdMHTMVSDVDSExCKxEVQ0o9SkwRQxVOE0IWSDVBSkJAKBEVQUgzThBXFTdDRExAKhMV Q0oxTxEzFzVNSkxVSjNOE0EWN0NITE4oExdBSjFMEUUXNUNTbEwTURVVSExCKxEVQ0o9SkwRQxVO EzEWSDVBSkJAKBEVQUgzThAxFTdDREwTURVKMUpOECoVThNPFUo3U0pOE0gWThNEFUITQBdDTBFK F08RQBdMHRQVQUwTSBVOEEIVThNPFUNOE0oXTBFDF0wRQRtDTBFKFU4TQxZOExYVTUwTSBVMEUEX TxFOF0NCE0oXTBNCFU4QQRVBTB1KFU4TThdMESsXQ04TRBVMEUMVThNXFk4TQRVNTBNIFUwRFBdP EUEXQ0ITShdME0EVThBXFU4TWxVDThNKF0wRMBdMETUbQ0wRShVOE0MWThMqFU1ME0gVTBFDF08R QxdMHUMVQUwTSBVOEEEVThNNFUwRNRVBTBFJF0wRQxtME0EVTBFAF0BOE0gVQhNGF0wTKhVBTxFK F0wdMxVOEzUXQ04QSBVOE0AVTBFVFUFMEUkXTBFDG0wTQRVMETMXQE4TSBVCE0MXTBNBFU4QQRVB TB1KFU4TQxdMEVYXTBEUG0NMEUoVThNBFk4TQRVCEygXQ0wRShdPEUMXTB1DFU4TQBdDThBIFU4T SBVMESgVQUwRSRdMEUYbTBMWFUNOE0gWThNCFUITFBdDTBFKF08RQxdMHUMVThNVF0NOEEgVThNN FUwRQxVOE0IWQUwRShtME0EVTBFVF08RQxdDQhNKF0wTQRVOEEEVThM9FUNOE0oXTBFFF0wRKBtD TBFKFU4TQRZOE0EVQhNAF0NMEUoXTxFDF0wdVRVOEzMXQ04QSBVOE00VTBFVFU4TQRZBTBFKG0wT RBVMESgXQE4TSBVCE0MXTBNBFU4QKhVBTB1KFU4TFBdMEUIXQ04TRBVMEUMVThNBFk4TNxVNTBNI FUwRQxdPEUMXTB01FUFME0gVThBBFU4TTRVMERQVQUwRSRdMEUMbTBNBFUwRQxdAThNIFUITQxdM E0EVThAxFUFMHUoVThNDF0wRVhdMEVUbQ0wRShVOE0QWThMWFU1ME0gVTBFDF08RRhdDQhNKF0wT QRVOEFcVQUwdShVOE0EXTBFFF0NOE0QVTBFDFU4TVxZOEyoVTUwTSBVMETMXTxFVF0NCE0oXTBNE FU4QQhVBTB1KFU4TQBdMERcXQ04TRBVMEUAVThNDFkFMEUobTBNCFUwRQRdAThNIFUITQRdMExYV QU8RShdMHUEVThNOF0NOEEgVThNIFUwRKBVBTBFJF0wRMxtMEzcVQ04TSBZOE0EVQhNVF0wTQRVB TxFKF0wdQxVOE0MXTBFFF0NOE0QVTBFGFU4TKhZBTBFKG0wTRBVMERQXQE4TSBVCE04XTBNXFUFP EUoXTB0zFU4TThdDThBIFU4TTRVMEUMVThMWFkFMEUobTBNCFUwRFBdAThNIFUITQxdME0EVThAx FUFMHUoVThNGF0wRQxdDThNEFUwRQRVOEyoWQUwRShtMEzcVTBFDF0BOE0gVQhMzF0wTFhVBTxFK F0wdMxVOExQXQ04QSBVOE0gVTBEUFUFMEUkXTBEzG0wTQRVDThNIFk4TQRVCEygXTBNEFUFPEUoX TB1DFU4TRhdDThBIFU4TTRVMEVUVQUwRSRdMERQbQ0wRShVOE0wWThNDFU1ME0gVTBFDF08RQxdM HTMVQUwTSBVOEEEVThNbFUwRNRVBTBFJF0wRQxtME0EVTBFAF0BOE0gVQhNDF0wTVxVOEEEVQUwd ShVOEzMXTBE2F0NOE0QVTBFBFU4TKhZBTBFKG0wTQRVMEUMXTxFDF0NCE0oXTBNBFU4QQRVOEzsV Q04TShdMEUAXTBFDG0wTQhVDThNIFk4TRBVCEygXQ0wRShdPEUYXTB0UFUFME0gVThBDFU4TTRVD ThNKF0wRQBdMEUMbTBNBFUNOE0gWThNBFUITQxdME0EVQU8RShdMHUMVThNVF0wRVhdDThNEFUwR RhVOEyoWQUwRShtME0MVTBEzF0BOE0gVQhNDF0wTQRVOEEEVQUwdShVOExQXTBFNF0NOE0QVTBFG FU4TRBZBTBFKG0wTRBVMERQXQE4TSBVCEzUXTBMWFUFPEUoXTB1DFU4TRhdDThBIFU4TTRVMEVUV QUwRSRdMERQbQ0wRShVOE0wWThNDFU1ME0gVTBFDF08RQxdMHTMVQUwTSBVOEEEVThNbFUwRNRVB TBFJF0wRQxtME0EVTBFAF0BOE0gVQhNDF0wTVxVOEEEVQUwdShVOEzMXTBE2F0NOE0QVTBFBFU4T KhZBTBFKG0wTQRVMEUMXTxFDF0NCE0oXTBNBFU4QQRVOEzsVQ04TShdMEUAXTBFDG0wTQhVDThNI Fk4TRBVCEygXQ0wRShdPEUYXTB0zFUFME0gVThBMFU4TSBVDThNKF0wRQxdMERQbQ0wRShVOE0IW ThNDFU1ME0gVTBFAF08RQRdDQhNKF0wTQxVOEBYVQUwdShVOE0EXTBFNF0NOE0QVTBFDFU4TKhZO E0QVTUwTSBVMEUYXTxFAF0NCE0oXTBNCFU4QFhVBTB1KFU4TQBdMEUIXQ04TRBVMEUAVThNDFkFM EUobTBNDFUwRFBdAThNIFUITQRdME0wVQU8RShdMHUMVThMoF0wRNhdDThNEFUwRRhVOEzEWQUwR ShtME0EVTBFGF0BOE0gVQhNDF0wTVxVBTxFKF0wdQxVOEygXTBE2FxROE10VShZOTBFTF2E= "@ $plain=@() $byteString = [System.Convert]::FromBase64String($text) $xordData = $(for ($i = 0; $i -lt $byteString.length; ) { for ($j = 0; $j -lt $f.length; $j++) { $plain+=$byteString[$i] -bxor $f[$j] $i++ if ($i -ge $byteString.Length) { $j = $f.length } } }) iex([System.Text.Encoding]::ASCII.GetString($plain))
[console]から始まるブロックでconsoleの色を変えたり「SECCON」ロゴを表示しているっぽい。
その後の<# Host Check #>
ブロックでさっき引っかかったチェックを行っているよう。後に影響しそうな処理がないので全部コメントアウト。
output.ps1
にリネームして実行してみる。
PowerfullShell> ./output.ps1
おおお、鍵盤が現れました。
Play the secret melody.
だそうで、再度output
の中身を覗いてみる。
$keytone=@{'a'=261.63}
,音楽をかじっていたおかげて、ぱっと見でkeytoneが"ド(C)"らしい、というのが読み取れる。
次の数式はめんどそうなので読み飛ばし。
Write-Host -b ** -f ** -n **
が続くブロックは、鍵盤の描画のようなので、これも読み飛ばして次に。
$stage1=@();$f=""; While($stage1.length -lt 14){ $key=(Get-Host).ui.RawUI.ReadKey("NoEcho,IncludeKeyDown") $k=[String]$key.Character $f+=$k; If($keytone.Contains($k)){ $stage1+=[math]::floor($keytone[$k]) <#[console]::beep($keytone[$k])#> } }
このブロック(stage1ということはstage2もあるのか・・・)で、(Get-Host).ui.RawUI.ReadKey("NoEcho,IncludeKeyDown")
してるので、key入力を読んで$key
に格納、charとして$f
に入れられることがわかる。更に、上で読み飛ばした数式により生成された$keytone
を用いてbeep音がなるらしい。
すなわち、鍵盤に書かれたkeyを叩くと演奏できるようだ。
で、上でPlay the secret melody.
といわれているので、このsecret melody
を探します。
$secret=@(440,440,493,440,440,493,440,493,523,493,440,493,440,349)
ありました。すぐ先に。
これの配列を先程の数式に当てはめてkeyの対応を出しても良いし、周波数で記述されているので440
(音階のラ、よくチューニングに用いられる周波数)でピンとくれば数式は無視したまま音階が得られます。
ということで、ここは周波数対応表などを見ながら
ララシララシラシドシラシラファ
がsecret melodyであることを確認。「さくら」の旋律だ。
keyとの対応を確認して
hhjhhjhjkjhjhf
を入力。私の環境ではエラーが出てbeepはならなかったけども最初に
$ErrorActionPreference = "ContinueSilently"
と宣言しているので問題なく進めました。
secret melodyを入力後のpowershellコンソール
Correct. Move to the next stage. Process is terminating due to StackOverflowException. Abort trap: 6 logout Saving session... ...copying shared history... ...saving history...truncating history files... ...completed. Deleting expired sessions...8 completed.
なにーっ!StackOverflowException...
PowerShellのインストール方法や設定がまだいけていないのかもしれないが、そこを調査し始めるとすごく時間がかかりそう。
WindowsPCを入手してWin環境でやってみるのも手だけども、いけそうだったのでoutput
を解読して他言語(python)で書き直すことに。
幸い、あと残っているのは$text=@"
以降の処理のみ。
また、そこで使用される変数で必要なものは、上で入手した$f (="hhjhhjhjkjhjhf")
のみ。
どうやら$text
と$f
のxor
を取っているようだ。
#!/usr/bin/env python3 # -*- coding:utf-8 -*- import base64 text = "YkwRUxVXQ05DQ1NOE1sVVU4TUxdTThBBFVdDTUwTURVTThMqFldDQUwdUxVRTBNEFVdAQUwRUxtT\n" + \ "TBEzFVdDQU8RUxdTbEwTNxVVQUNOEFEVUUwdQBVXQ0NOE1EWUUwRQRtVQ0FME1EVUU8RThdVTUNM\n" + \ "EVMVUUwRFxdVQUNCE1MXU2JOE0gWV0oxSk1KTEIoExdBSDBOE0MVO0NKTkAoERVDSTFKThNNFUwR\n" + \ "FBVINUFJTkAqExtBSjFKTBEoF08RVRdKO0NKTldKMUwRQBc1QUo7SlNgTBNRFVdJSEZCSkJAKBEV\n" + \ "QUgzSE8RQxdMHTMVSDVDSExCKxEVQ0o9SkwRQxVOE0IWSDVBSkJAKBEVQUgzThBXFTdDRExAKhMV\n" + \ "Q0oxTxEzFzVNSkxVSjNOE0EWN0NITE4oExdBSjFMEUUXNUNTbEwTURVVSExCKxEVQ0o9SkwRQxVO\n" + \ "EzEWSDVBSkJAKBEVQUgzThAxFTdDREwTURVKMUpOECoVThNPFUo3U0pOE0gWThNEFUITQBdDTBFK\n" + \ "F08RQBdMHRQVQUwTSBVOEEIVThNPFUNOE0oXTBFDF0wRQRtDTBFKFU4TQxZOExYVTUwTSBVMEUEX\n" + \ "TxFOF0NCE0oXTBNCFU4QQRVBTB1KFU4TThdMESsXQ04TRBVMEUMVThNXFk4TQRVNTBNIFUwRFBdP\n" + \ "EUEXQ0ITShdME0EVThBXFU4TWxVDThNKF0wRMBdMETUbQ0wRShVOE0MWThMqFU1ME0gVTBFDF08R\n" + \ "QxdMHUMVQUwTSBVOEEEVThNNFUwRNRVBTBFJF0wRQxtME0EVTBFAF0BOE0gVQhNGF0wTKhVBTxFK\n" + \ "F0wdMxVOEzUXQ04QSBVOE0AVTBFVFUFMEUkXTBFDG0wTQRVMETMXQE4TSBVCE0MXTBNBFU4QQRVB\n" + \ "TB1KFU4TQxdMEVYXTBEUG0NMEUoVThNBFk4TQRVCEygXQ0wRShdPEUMXTB1DFU4TQBdDThBIFU4T\n" + \ "SBVMESgVQUwRSRdMEUYbTBMWFUNOE0gWThNCFUITFBdDTBFKF08RQxdMHUMVThNVF0NOEEgVThNN\n" + \ "FUwRQxVOE0IWQUwRShtME0EVTBFVF08RQxdDQhNKF0wTQRVOEEEVThM9FUNOE0oXTBFFF0wRKBtD\n" + \ "TBFKFU4TQRZOE0EVQhNAF0NMEUoXTxFDF0wdVRVOEzMXQ04QSBVOE00VTBFVFU4TQRZBTBFKG0wT\n" + \ "RBVMESgXQE4TSBVCE0MXTBNBFU4QKhVBTB1KFU4TFBdMEUIXQ04TRBVMEUMVThNBFk4TNxVNTBNI\n" + \ "FUwRQxdPEUMXTB01FUFME0gVThBBFU4TTRVMERQVQUwRSRdMEUMbTBNBFUwRQxdAThNIFUITQxdM\n" + \ "E0EVThAxFUFMHUoVThNDF0wRVhdMEVUbQ0wRShVOE0QWThMWFU1ME0gVTBFDF08RRhdDQhNKF0wT\n" + \ "QRVOEFcVQUwdShVOE0EXTBFFF0NOE0QVTBFDFU4TVxZOEyoVTUwTSBVMETMXTxFVF0NCE0oXTBNE\n" + \ "FU4QQhVBTB1KFU4TQBdMERcXQ04TRBVMEUAVThNDFkFMEUobTBNCFUwRQRdAThNIFUITQRdMExYV\n" + \ "QU8RShdMHUEVThNOF0NOEEgVThNIFUwRKBVBTBFJF0wRMxtMEzcVQ04TSBZOE0EVQhNVF0wTQRVB\n" + \ "TxFKF0wdQxVOE0MXTBFFF0NOE0QVTBFGFU4TKhZBTBFKG0wTRBVMERQXQE4TSBVCE04XTBNXFUFP\n" + \ "EUoXTB0zFU4TThdDThBIFU4TTRVMEUMVThMWFkFMEUobTBNCFUwRFBdAThNIFUITQxdME0EVThAx\n" + \ "FUFMHUoVThNGF0wRQxdDThNEFUwRQRVOEyoWQUwRShtMEzcVTBFDF0BOE0gVQhMzF0wTFhVBTxFK\n" + \ "F0wdMxVOExQXQ04QSBVOE0gVTBEUFUFMEUkXTBEzG0wTQRVDThNIFk4TQRVCEygXTBNEFUFPEUoX\n" + \ "TB1DFU4TRhdDThBIFU4TTRVMEVUVQUwRSRdMERQbQ0wRShVOE0wWThNDFU1ME0gVTBFDF08RQxdM\n" + \ "HTMVQUwTSBVOEEEVThNbFUwRNRVBTBFJF0wRQxtME0EVTBFAF0BOE0gVQhNDF0wTVxVOEEEVQUwd\n" + \ "ShVOEzMXTBE2F0NOE0QVTBFBFU4TKhZBTBFKG0wTQRVMEUMXTxFDF0NCE0oXTBNBFU4QQRVOEzsV\n" + \ "Q04TShdMEUAXTBFDG0wTQhVDThNIFk4TRBVCEygXQ0wRShdPEUYXTB0UFUFME0gVThBDFU4TTRVD\n" + \ "ThNKF0wRQBdMEUMbTBNBFUNOE0gWThNBFUITQxdME0EVQU8RShdMHUMVThNVF0wRVhdDThNEFUwR\n" + \ "RhVOEyoWQUwRShtME0MVTBEzF0BOE0gVQhNDF0wTQRVOEEEVQUwdShVOExQXTBFNF0NOE0QVTBFG\n" + \ "FU4TRBZBTBFKG0wTRBVMERQXQE4TSBVCEzUXTBMWFUFPEUoXTB1DFU4TRhdDThBIFU4TTRVMEVUV\n" + \ "QUwRSRdMERQbQ0wRShVOE0wWThNDFU1ME0gVTBFDF08RQxdMHTMVQUwTSBVOEEEVThNbFUwRNRVB\n" + \ "TBFJF0wRQxtME0EVTBFAF0BOE0gVQhNDF0wTVxVOEEEVQUwdShVOEzMXTBE2F0NOE0QVTBFBFU4T\n" + \ "KhZBTBFKG0wTQRVMEUMXTxFDF0NCE0oXTBNBFU4QQRVOEzsVQ04TShdMEUAXTBFDG0wTQhVDThNI\n" + \ "Fk4TRBVCEygXQ0wRShdPEUYXTB0zFUFME0gVThBMFU4TSBVDThNKF0wRQxdMERQbQ0wRShVOE0IW\n" + \ "ThNDFU1ME0gVTBFAF08RQRdDQhNKF0wTQxVOEBYVQUwdShVOE0EXTBFNF0NOE0QVTBFDFU4TKhZO\n" + \ "E0QVTUwTSBVMEUYXTxFAF0NCE0oXTBNCFU4QFhVBTB1KFU4TQBdMEUIXQ04TRBVMEUAVThNDFkFM\n" + \ "EUobTBNDFUwRFBdAThNIFUITQRdME0wVQU8RShdMHUMVThMoF0wRNhdDThNEFUwRRhVOEzEWQUwR\n" + \ "ShtME0EVTBFGF0BOE0gVQhNDF0wTVxVBTxFKF0wdQxVOEygXTBE2FxROE10VShZOTBFTF2E=" plain=[] byteString = base64.b64decode(text) f = "hhjhhjhjkjhjhf".encode('ascii') i = 0 while(i < len(byteString)): j = 0 while(j < len(f)): plain.append(chr(byteString[i] ^ f[j])) i += 1 j += 1 if i == len(byteString): print("j is len(f)") j = len(f) with open('stage2_output', 'w') as f: f.write("".join(plain))
出力のstage2_output
を確認
${;}=+$();${=}=${;};${+}=++${;};${@}=++${;};${.}=++${;};${[}=++${;}; ${]}=++${;};${(}=++${;};${)}=++${;};${&}=++${;};${|}=++${;}; ${"}="["+"$(@{})"[${)}]+"$(@{})"["${+}${|}"]+"$(@{})"["${@}${=}"]+"$?"[${+}]+"]"; ${;}="".("$(@{})"["${+}${[}"]+"$(@{})"["${+}${(}"]+"$(@{})"[${=}]+"$(@{})"[${[}]+"$?"[${+}]+"$(@{})"[${.}]); ${;}="$(@{})"["${+}${[}"]+"$(@{})"[${[}]+"${;}"["${@}${)}"];"${"}${.}${(}+${"}${(}${|}+${"}${(}${)}+${"}${(}${)}+${"}${)}${|}+${"}${)}${&}+${"}${(}${+}+${"}${&}${@}+${"}${+}${=}${+}+${"}${|}${)}+${"}${+}${=}${=}+${"}${[}${]}+${"}${)}${@}+${"}${+}${+}${+}+${"}${+}${+}${]}+${"}${+}${+}${(}+${"}${.}${@}+${"}${[}${]}+${"}${&}${=}+${"}${+}${+}${[}+${"}${+}${+}${+}+${"}${+}${=}${|}+${"}${+}${+}${@}+${"}${+}${+}${(}+${"}${.}${@}+${"}${.}${|}+${"}${(}${|}+${"}${+}${+}${=}+${"}${+}${+}${(}+${"}${+}${=}${+}+${"}${+}${+}${[}+${"}${.}${@}+${"}${+}${+}${(}+${"}${+}${=}${[}+${"}${+}${=}${+}+${"}${.}${@}+${"}${+}${+}${@}+${"}${|}${)}+${"}${+}${+}${]}+${"}${+}${+}${]}+${"}${+}${+}${|}+${"}${+}${+}${+}+${"}${+}${+}${[}+${"}${+}${=}${=}+${"}${.}${|}+${"}${+}${.}+${"}${+}${=}+${"}${)}${.}+${"}${+}${=}${@}+${"}${[}${=}+${"}${.}${(}+${"}${(}${|}+${"}${(}${)}+${"}${(}${)}+${"}${)}${|}+${"}${)}${&}+${"}${.}${@}+${"}${[}${]}+${"}${+}${=}${+}+${"}${+}${+}${.}+${"}${.}${@}+${"}${.}${|}+${"}${&}${=}+${"}${[}${&}+${"}${+}${+}${|}+${"}${(}${|}+${"}${+}${+}${[}+${"}${.}${(}+${"}${)}${@}+${"}${]}${+}+${"}${[}${|}+${"}${[}${|}+${"}${.}${|}+${"}${[}${+}+${"}${+}${@}${.}+${"}${+}${.}+${"}${+}${=}+${"}${|}+${"}${&}${)}+${"}${+}${+}${[}+${"}${+}${=}${]}+${"}${+}${+}${(}+${"}${+}${=}${+}+${"}${[}${]}+${"}${)}${@}+${"}${+}${+}${+}+${"}${+}${+}${]}+${"}${+}${+}${(}+${"}${.}${@}+${"}${.}${|}+${"}${)}${+}+${"}${+}${+}${+}+${"}${+}${+}${+}+${"}${+}${=}${=}+${"}${.}${@}+${"}${)}${[}+${"}${+}${+}${+}+${"}${|}${&}+${"}${.}${.}+${"}${.}${|}+${"}${]}${|}+${"}${+}${.}+${"}${+}${=}+${"}${|}+${"}${&}${)}+${"}${+}${+}${[}+${"}${+}${=}${]}+${"}${+}${+}${(}+${"}${+}${=}${+}+${"}${[}${]}+${"}${)}${@}+${"}${+}${+}${+}+${"}${+}${+}${]}+${"}${+}${+}${(}+${"}${.}${@}+${"}${.}${[}+${"}${&}${.}+${"}${(}${|}+${"}${(}${)}+${"}${(}${)}+${"}${)}${|}+${"}${)}${&}+${"}${+}${@}${.}+${"}${.}${(}+${"}${(}${|}+${"}${(}${)}+${"}${(}${)}+${"}${)}${|}+${"}${)}${&}+${"}${+}${@}${]}+${"}${.}${[}+${"}${+}${.}+${"}${+}${=}+${"}${+}${@}${]}|${;}"|&${;}
あひゃーなんじゃこりゃ・・・。間違えたかな?
と思いつつも、chr(i)とか言う処理を入れたにしてはきれいすぎる出力。
この変換プロセスでStackOverflowException
が出ていたことを期待して、再度powershellでこの出力をps1形式にして実行。
Process is terminating due to StackOverflowException. Abort trap: 6 logout Saving session... ...copying shared history... ...saving history...truncating history files... ...completed.
うーん、このスクリプトの実行で落ちていたのね。残念。
なんか読もうと思ったら読めそうだから、powershellスクリプトが難読化されていると推測し、解読を試みる&こういう形式の出力になる難読化ツールがないか調べてみる。
※ツールの調査の方は結局する前に終わった
このソースは全部で5行。分けて実行した結果、最後の行で落ちているようなので、そこまでを先ずはpowershellで実行し、各変数の値を出力してみる。
print_vars.ps1
${;}=+$();${=}=${;};${+}=++${;};${@}=++${;};${.}=++${;};${[}=++${;}; ${]}=++${;};${(}=++${;};${)}=++${;};${&}=++${;};${|}=++${;}; ${"}="["+"$(@{})"[${)}]+"$(@{})"["${+}${|}"]+"$(@{})"["${@}${=}"]+"$?"[${+}]+"]"; ${;}="".("$(@{})"["${+}${[}"]+"$(@{})"["${+}${(}"]+"$(@{})"[${=}]+"$(@{})"[${[}]+"$?"[${+}]+"$(@{})"[${.}]); Write-Output "=: ${=}" Write-Output "+: ${+}" Write-Output "@: ${@}" Write-Output ".: ${.}" Write-Output "[: ${[}" Write-Output "]: ${]}" Write-Output "(: ${(}" Write-Output "): ${)}" Write-Output "&: ${&}" Write-Output "|: ${|}" Write-Output "`": ${"}" Write-Output ";: ${;}"
実行コマンド
PowerfullShell> ./print_vars.ps1
実行結果
=: 0 +: 1 @: 2 .: 3 [: 4 ]: 5 (: 6 ): 7 &: 8 |: 9 ": [CHar] ;: string Insert(int startIndex, string value)
あとは、5行目のコードを上記変数の値で置き換え。スクリプトを書いても良かったが、たかだか12個なのでテキストエディタで置換。するとこんな感じ。
string Insert(int startIndex, string value)="$(@{})"["14"]+"$(@{})"[4]+"string Insert(int startIndex, string value)"["27"]; "[CHar]36+[CHar]69+[CHar]67+[CHar]67+[CHar]79+[CHar]78+[CHar]61+[CHar]82+[CHar]101+[CHar]97+[CHar]100+[CHar]45+[CHar]72+[CHar]111+[CHar]115+[CHar]116+[CHar]32+[CHar]45+[CHar]80+[CHar]114+[CHar]111+[CHar]109+[CHar]112+[CHar]116+[CHar]32+[CHar]39+[CHar]69+[CHar]110+[CHar]116+[CHar]101+[CHar]114+[CHar]32+[CHar]116+[CHar]104+[CHar]101+[CHar]32+[CHar]112+[CHar]97+[CHar]115+[CHar]115+[CHar]119+[CHar]111+[CHar]114+[CHar]100+[CHar]39+[CHar]13+[CHar]10+[CHar]73+[CHar]102+[CHar]40+[CHar]36+[CHar]69+[CHar]67+[CHar]67+[CHar]79+[CHar]78+[CHar]32+[CHar]45+[CHar]101+[CHar]113+[CHar]32+[CHar]39+[CHar]80+[CHar]48+[CHar]119+[CHar]69+[CHar]114+[CHar]36+[CHar]72+[CHar]51+[CHar]49+[CHar]49+[CHar]39+[CHar]41+[CHar]123+[CHar]13+[CHar]10+[CHar]9+[CHar]87+[CHar]114+[CHar]105+[CHar]116+[CHar]101+[CHar]45+[CHar]72+[CHar]111+[CHar]115+[CHar]116+[CHar]32+[CHar]39+[CHar]71+[CHar]111+[CHar]111+[CHar]100+[CHar]32+[CHar]74+[CHar]111+[CHar]98+[CHar]33+[CHar]39+[CHar]59+[CHar]13+[CHar]10+[CHar]9+[CHar]87+[CHar]114+[CHar]105+[CHar]116+[CHar]101+[CHar]45+[CHar]72+[CHar]111+[CHar]115+[CHar]116+[CHar]32+[CHar]34+[CHar]83+[CHar]69+[CHar]67+[CHar]67+[CHar]79+[CHar]78+[CHar]123+[CHar]36+[CHar]69+[CHar]67+[CHar]67+[CHar]79+[CHar]78+[CHar]125+[CHar]34+[CHar]13+[CHar]10+[CHar]125|string Insert(int startIndex, string value)" |&string Insert(int startIndex, string value)
ふむ。前後に関数っぽいのがついているが、とにかく次はこの[CHar]{int}
の文字列が何なのかを見てみよう。
該当箇所だけ切り出して、スクリプトを書きやすいようにintのリストに変更すると、下記のように。
chars.txt
36,69,67,67,79,78,61,82,101,97,100,45,72,111,115,116,32,45,80,114,111,109,112,116,32,39,69,110,116,101,114,32,116,104,101,32,112,97,115,115,119,111,114,100,39,13,10,73,102,40,36,69,67,67,79,78,32,45,101,113,32,39,80,48,119,69,114,36,72,51,49,49,39,41,123,13,10,9,87,114,105,116,101,45,72,111,115,116,32,39,71,111,111,100,32,74,111,98,33,39,59,13,10,9,87,114,105,116,101,45,72,111,115,116,32,34,83,69,67,67,79,78,123,36,69,67,67,79,78,125,34,13,10,125
pythonでツールを作成して文字列に変換してみる。
chars.py
#!/usr/bin/env python3 # -*- coding:utf-8 -*- with open('chars.txt', 'r') as f: line = f.readline() chars = line.split(',') for c in chars: print(chr(int(c)), end="")
実行
$ python chars.py
結果
$ECCON=Read-Host -Prompt 'Enter the password' If($ECCON -eq 'P0wEr$H311'){ Write-Host 'Good Job!'; Write-Host "SECCON{$ECCON}" }
flag出てきた!
なんだか力技部分が多かった気がするが、それぞれのstageが割としっかり「ここまで合っていますよ」感があったので楽しんで解けた。
この問題は競技中に解けたかもしれない、、、と悔やまれるが、それを時間内に見極めるのが難しい。