아모에요 https://dys4nt.tistory.com/ 즐감 ko Mon, 13 Apr 2026 04:38:36 +0900 TISTORY 100 dys4nt 아모에요 https://tistory1.daumcdn.net/tistory/6375709/attach/2c179b423a5a4c50a5a328842c6f1adf https://dys4nt.tistory.com [cryptohack.org] General https://dys4nt.tistory.com/51 <h4 data-ke-size="size20">Encoding</h4> <p data-ke-size="size16">ASCII</p> <p data-ke-size="size16">&nbsp;</p> <p data-ke-size="size16">주어진 리스트를 복붙한 다음 chr를 이용해서 파이썬 스크립트를 구현하면</p> <p data-ke-size="size16">&nbsp;</p> <pre id="code_1689036387807" class="python" data-ke-language="python" data-ke-type="codeblock"><code>li = [99, 114, 121, 112, 116, 111, 123, 65, 83, 67, 73, 73, 95, 112, 114, 49, 110, 116, 52, 98, 108, 51, 125] res = "" for n in li: res += chr(n) print(res)</code></pre> <p><figure class="imageblock alignCenter" data-ke-mobileStyle="widthOrigin" data-origin-width="995" data-origin-height="568"><span data-url="https://blog.kakaocdn.net/dn/mNimN/btsm5sH5uTH/nkLKZnTnQtSZxt4hKnWGJ1/img.png" data-phocus="https://blog.kakaocdn.net/dn/mNimN/btsm5sH5uTH/nkLKZnTnQtSZxt4hKnWGJ1/img.png"><img src="https://blog.kakaocdn.net/dn/mNimN/btsm5sH5uTH/nkLKZnTnQtSZxt4hKnWGJ1/img.png" srcset="https://img1.daumcdn.net/thumb/R1280x0/?scode=mtistory2&fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FmNimN%2Fbtsm5sH5uTH%2FnkLKZnTnQtSZxt4hKnWGJ1%2Fimg.png" onerror="this.onerror=null; this.src='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png'; this.srcset='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png';" loading="lazy" width="995" height="568" data-origin-width="995" data-origin-height="568"/></span></figure> </p> <p data-ke-size="size16">crypto{ASCII_pr1nt4bl3}</p> <p data-ke-size="size16">&nbsp;</p> <p data-ke-size="size16">Hex</p> <p data-ke-size="size16">&nbsp;</p> <p data-ke-size="size16">마찬가지로 hex로 인코딩된 문자열이 주어진다. 이를 bytes.fromhex() 함수를 이용해서 bytes로 치환하자.</p> <p data-ke-size="size16">&nbsp;</p> <pre id="code_1689036598289" class="python" data-ke-language="python" data-ke-type="codeblock"><code>s = "63727970746f7b596f755f77696c6c5f62655f776f726b696e675f776974685f6865785f737472696e67735f615f6c6f747d" b = bytes.fromhex(s) print(b)</code></pre> <p><figure class="imageblock alignCenter" data-ke-mobileStyle="widthOrigin" data-origin-width="995" data-origin-height="568"><span data-url="https://blog.kakaocdn.net/dn/cVFREq/btsm9gfJi1x/uVZbxYeGJ9XeYXwBdkVkPK/img.png" data-phocus="https://blog.kakaocdn.net/dn/cVFREq/btsm9gfJi1x/uVZbxYeGJ9XeYXwBdkVkPK/img.png"><img src="https://blog.kakaocdn.net/dn/cVFREq/btsm9gfJi1x/uVZbxYeGJ9XeYXwBdkVkPK/img.png" srcset="https://img1.daumcdn.net/thumb/R1280x0/?scode=mtistory2&fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FcVFREq%2Fbtsm9gfJi1x%2FuVZbxYeGJ9XeYXwBdkVkPK%2Fimg.png" onerror="this.onerror=null; this.src='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png'; this.srcset='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png';" loading="lazy" width="995" height="568" data-origin-width="995" data-origin-height="568"/></span></figure> </p> <p data-ke-size="size16">crypto{You_will_be_working_with_hex_strings_a_lot}</p> <p data-ke-size="size16">&nbsp;</p> <p data-ke-size="size16">Base64</p> <p data-ke-size="size16">&nbsp;</p> <p data-ke-size="size16">hex string이 주어지고 이를 byte array로 바꾼 다음 bae64.b64encode() 함수로 b64 encode하자.</p> <pre id="code_1689037222578" class="python" data-ke-language="python" data-ke-type="codeblock"><code>import base64 s = "72bca9b68fc16ac7beeb8f849dca1d8a783e8acf9679bf9269f7bf" b = bytes.fromhex(s) print(base64.b64encode(b))</code></pre> <p><figure class="imageblock alignCenter" data-ke-mobileStyle="widthOrigin" data-origin-width="995" data-origin-height="211"><span data-url="https://blog.kakaocdn.net/dn/bIvZev/btsm8Y0LbCQ/2T3pABJLT53csv7Q3op8eK/img.png" data-phocus="https://blog.kakaocdn.net/dn/bIvZev/btsm8Y0LbCQ/2T3pABJLT53csv7Q3op8eK/img.png"><img src="https://blog.kakaocdn.net/dn/bIvZev/btsm8Y0LbCQ/2T3pABJLT53csv7Q3op8eK/img.png" srcset="https://img1.daumcdn.net/thumb/R1280x0/?scode=mtistory2&fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FbIvZev%2Fbtsm8Y0LbCQ%2F2T3pABJLT53csv7Q3op8eK%2Fimg.png" onerror="this.onerror=null; this.src='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png'; this.srcset='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png';" loading="lazy" width="995" height="211" data-origin-width="995" data-origin-height="211"/></span></figure> </p> <p data-ke-size="size16">crypto/Base+64+Encoding+is+Web+Safe/</p> <p data-ke-size="size16">&nbsp;</p> <p data-ke-size="size16">Bytes and Big Integers</p> <p data-ke-size="size16">&nbsp;</p> <p data-ke-size="size16">long 숫자가 주어지고 이를 pycryptodome 패키지의 long_to_bytes 함수를 이용해서 bytes로 바꾼 다음 출력하면 된다.</p> <p data-ke-size="size16">&nbsp;</p> <pre id="code_1689037136050" class="python" data-ke-language="python" data-ke-type="codeblock"><code>from Crypto.Util.number import * num = 11515195063862318899931685488813747395775516287289682636499965282714637259206269 b = long_to_bytes(num) print(b)</code></pre> <p><figure class="imageblock alignCenter" data-ke-mobileStyle="widthOrigin" data-origin-width="995" data-origin-height="245"><span data-url="https://blog.kakaocdn.net/dn/cWBKTd/btsm2IYLqH7/OLmbByPKr3SvuhkwWT6Qy0/img.png" data-phocus="https://blog.kakaocdn.net/dn/cWBKTd/btsm2IYLqH7/OLmbByPKr3SvuhkwWT6Qy0/img.png"><img src="https://blog.kakaocdn.net/dn/cWBKTd/btsm2IYLqH7/OLmbByPKr3SvuhkwWT6Qy0/img.png" srcset="https://img1.daumcdn.net/thumb/R1280x0/?scode=mtistory2&fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FcWBKTd%2Fbtsm2IYLqH7%2FOLmbByPKr3SvuhkwWT6Qy0%2Fimg.png" onerror="this.onerror=null; this.src='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png'; this.srcset='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png';" loading="lazy" width="995" height="245" data-origin-width="995" data-origin-height="245"/></span></figure> </p> <p data-ke-size="size16">crypto{3nc0d1n6_4ll_7h3_w4y_d0wn}</p> <p data-ke-size="size16">&nbsp;</p> <p data-ke-size="size16">Encoding Challenge</p> <p data-ke-size="size16">&nbsp;</p> <pre id="code_1689039075446" class="python" data-ke-language="python" data-ke-type="codeblock"><code>#!/usr/bin/env python3 from Crypto.Util.number import bytes_to_long, long_to_bytes from utils import listener # this is cryptohack's server-side module and not part of python import base64 import codecs import random FLAG = "crypto{????????????????????}" ENCODINGS = [ "base64", "hex", "rot13", "bigint", "utf-8", ] with open('/usr/share/dict/words') as f: WORDS = [line.strip().replace("'", "") for line in f.readlines()] class Challenge(): def __init__(self): self.challenge_words = "" self.stage = 0 def create_level(self): self.stage += 1 self.challenge_words = "_".join(random.choices(WORDS, k=3)) encoding = random.choice(ENCODINGS) if encoding == "base64": encoded = base64.b64encode(self.challenge_words.encode()).decode() # wow so encode elif encoding == "hex": encoded = self.challenge_words.encode().hex() elif encoding == "rot13": encoded = codecs.encode(self.challenge_words, 'rot_13') elif encoding == "bigint": encoded = hex(bytes_to_long(self.challenge_words.encode())) elif encoding == "utf-8": encoded = [ord(b) for b in self.challenge_words] return {"type": encoding, "encoded": encoded} # # This challenge function is called on your input, which must be JSON # encoded # def challenge(self, your_input): if self.stage == 0: return self.create_level() elif self.stage == 100: self.exit = True return {"flag": FLAG} if self.challenge_words == your_input["decoded"]: return self.create_level() return {"error": "Decoding fail"} listener.start_server(port=13377)</code></pre> <p data-ke-size="size16">13377.py 파일을 보면 {"type": encoding, "encoded": encoded}로 JSON 형태의 데이터를 리턴하는 것을 확인할 수 있다.</p> <p data-ke-size="size16">&nbsp;</p> <p data-ke-size="size16">pwntools을 이용해서 자동으로 이를 입력받은 다음 디코딩 과정을 거쳐서 디코딩된 데이터를 {"decoded" : dec } 형태로 보내는 코드를 짜면 된다.</p> <p data-ke-size="size16">&nbsp;</p> <pre id="code_1689039194792" class="python" data-ke-language="python" data-ke-type="codeblock"><code>from pwn import * from Crypto.Util.number import * import json import codecs r = remote("socket.cryptohack.org",13377) # context.log_level = "debug" def send_json(s): obj = {} obj['decoded'] = s s = json.dumps(obj) r.sendline(s) for i in range(100): li = r.recvline().split(b":") method = li[1].split(b",")[0][2:-1] enc = li[2][2:-3] # print(method) # print(enc) if method == b'base64': decoded = base64.b64decode(enc).decode() send_json(decoded) elif method == b'hex': decoded = bytes.fromhex(enc.decode()).decode() send_json(decoded) elif method == b'rot13': decoded = codecs.decode(enc.decode(),'rot13') send_json(decoded) elif method == b'bigint': num = int(enc.decode(),16) decoded = long_to_bytes(num).decode() send_json(decoded) else: li = enc.decode().split(", ") decoded = "" for i in li: decoded += chr(int(i)) send_json(decoded) print(r.recvline())</code></pre> <p><figure class="imageblock alignCenter" data-ke-mobileStyle="widthOrigin" data-origin-width="995" data-origin-height="313"><span data-url="https://blog.kakaocdn.net/dn/m0aLp/btsm83U413F/2uODcRwxXf1TgkfkSJGfYk/img.png" data-phocus="https://blog.kakaocdn.net/dn/m0aLp/btsm83U413F/2uODcRwxXf1TgkfkSJGfYk/img.png"><img src="https://blog.kakaocdn.net/dn/m0aLp/btsm83U413F/2uODcRwxXf1TgkfkSJGfYk/img.png" srcset="https://img1.daumcdn.net/thumb/R1280x0/?scode=mtistory2&fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2Fm0aLp%2Fbtsm83U413F%2F2uODcRwxXf1TgkfkSJGfYk%2Fimg.png" onerror="this.onerror=null; this.src='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png'; this.srcset='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png';" loading="lazy" width="995" height="313" data-origin-width="995" data-origin-height="313"/></span></figure> </p> <p data-ke-size="size16">crypto{3nc0d3_d3c0d3_3nc0d3}</p> <p data-ke-size="size16">&nbsp;</p> <h4 data-ke-size="size20">XOR</h4> <p data-ke-size="size16">XOR Starter</p> <p data-ke-size="size16">&nbsp;</p> <p data-ke-size="size16">문자열 label의 각 문자에 대해서 13과 XOR한 다음 결과를 출력하는 코드를 작성하면</p> <pre id="code_1689040372931" class="python" data-ke-language="python" data-ke-type="codeblock"><code>s = b'label' for i in range(5): print(chr(s[i] ^ 13))</code></pre> <p data-ke-size="size16">aloha가 나온다.</p> <p data-ke-size="size16">crypto{aloha}</p> <p data-ke-size="size16">&nbsp;</p> <p data-ke-size="size16">XOR Properties</p> <p data-ke-size="size16">&nbsp;</p> <p data-ke-size="size16">k1, k2^k1, k2^k3, flag^k1^k3^k2가 주어진다.</p> <p data-ke-size="size16">flag = flag^k1^k3^k2^k2^k3^k1이므로</p> <p data-ke-size="size16">&nbsp;</p> <p data-ke-size="size16">이를 계산하는 코드를 구현하면</p> <p data-ke-size="size16">&nbsp;</p> <pre id="code_1689040704207" class="python" data-ke-language="python" data-ke-type="codeblock"><code>from pwn import * k1 = bytes.fromhex("a6c8b6733c9b22de7bc0253266a3867df55acde8635e19c73313") k2k1 = bytes.fromhex("37dcb292030faa90d07eec17e3b1c6d8daf94c35d4c9191a5e1e") k2k3 = bytes.fromhex("c1545756687e7573db23aa1c3452a098b71a7fbf0fddddde5fc1") fk1k3k2 = bytes.fromhex("04ee9855208a2cd59091d04767ae47963170d1660df7f56f5faf") flag = xor(xor(fk1k3k2,k2k3),k1) print(flag)</code></pre> <p data-ke-size="size16">crypto{x0r_i5_ass0c1at1v3}</p> <p data-ke-size="size16">&nbsp;</p> <p data-ke-size="size16">Favorite byte</p> <p data-ke-size="size16">&nbsp;</p> <p data-ke-size="size16">브포로 모든 1바이트에 대해서 xor하는 코드를 구현하자.</p> <p data-ke-size="size16">&nbsp;</p> <pre id="code_1689040921191" class="python" data-ke-language="python" data-ke-type="codeblock"><code>from pwn import * b = bytes.fromhex("73626960647f6b206821204f21254f7d694f7624662065622127234f726927756d") for i in range(256): print(xor(b,i))</code></pre> <p data-ke-size="size16">crypto{0x10_15_my_f4v0ur173_by7e}</p> <p data-ke-size="size16">&nbsp;</p> <p data-ke-size="size16">You either know, XOR you don't</p> <p data-ke-size="size16">&nbsp;</p> <p data-ke-size="size16">hex 스트링과 플래그 포맷 crypto{}를 XOR하여서 key를 추출하려 시도하였는데, crypto{에 대해서 myXORke까지 출력되었다. 키를 myXORkey라 가정하고 이 키를 이용해서 주어진 스트링과 XOR하면 플래그가 나온다.</p> <p data-ke-size="size16">&nbsp;</p> <pre id="code_1689041479474" class="python" data-ke-language="python" data-ke-type="codeblock"><code>from pwn import * b = bytes.fromhex("0e0b213f26041e480b26217f27342e175d0e070a3c5b103e2526217f27342e175d0e077e263451150104") f = b"myXORkey" print(xor(b,f))</code></pre> <p data-ke-size="size16">crypto{1f_y0u_Kn0w_En0uGH_y0u_Kn0w_1t_4ll}</p> <p data-ke-size="size16">&nbsp;</p> <p data-ke-size="size16">Lemur XOR</p> <p data-ke-size="size16">&nbsp;</p> <p data-ke-size="size16">두 이미지 파일이 주어진다. 이 이미지 파일들을 XOR하면 플래그가 나올 것 같다.</p> <pre id="code_1689042434637" class="python" data-ke-language="python" data-ke-type="codeblock"><code>import numpy as np from PIL import Image img1 = Image.open("lemur.png") img2 = Image.open("flag.png") n1 = np.array(img1)*255 n2 = np.array(img2)*255 res_img = np.bitwise_xor(n1,n2).astype(np.uint8) Image.fromarray(n_img).save('res.png')</code></pre> <p><figure class="imageblock alignCenter" data-ke-mobileStyle="widthOrigin" data-origin-width="1920" data-origin-height="1040"><span data-url="https://blog.kakaocdn.net/dn/Jafhj/btsm83gxxQL/lwDFzJhglheNnbEkTKB1LK/img.png" data-phocus="https://blog.kakaocdn.net/dn/Jafhj/btsm83gxxQL/lwDFzJhglheNnbEkTKB1LK/img.png"><img src="https://blog.kakaocdn.net/dn/Jafhj/btsm83gxxQL/lwDFzJhglheNnbEkTKB1LK/img.png" srcset="https://img1.daumcdn.net/thumb/R1280x0/?scode=mtistory2&fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FJafhj%2Fbtsm83gxxQL%2FlwDFzJhglheNnbEkTKB1LK%2Fimg.png" onerror="this.onerror=null; this.src='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png'; this.srcset='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png';" loading="lazy" width="1920" height="1040" data-origin-width="1920" data-origin-height="1040"/></span></figure> </p> <p data-ke-size="size16">crypto{X0Rly_n0t!}</p> <p data-ke-size="size16">&nbsp;</p> <h4 data-ke-size="size20">Mathematics</h4> <p data-ke-size="size16">Greatest Common Divisor</p> <p data-ke-size="size16">&nbsp;</p> <p data-ke-size="size16">gcd(66528,52920)을 계산하면 된다.</p> <pre id="code_1689042691471" class="python" data-ke-language="python" data-ke-type="codeblock"><code>import sympy as sp print(sp.gcd(66528,52920))</code></pre> <p data-ke-size="size16">1512</p> <p data-ke-size="size16">&nbsp;</p> <p data-ke-size="size16">Extended GCD</p> <p data-ke-size="size16">&nbsp;</p> <p data-ke-size="size16">확장된 유클리드 알고리즘을 이용해서 합동식을 계산하면 된다.</p> <p data-ke-size="size16">&nbsp;</p> <pre id="code_1689777842664" class="python" data-ke-language="python" data-ke-type="codeblock"><code>def EEA(a,b): r1,r2 = a,b p1,p2 = 1,0 q1,q2 = 0,1 while r2&gt;0: n = r1 // r2 r1,r2 = r2,r1%r2 p1,p2 = p2,p1-n*p2 q1,q2 = q2,q1-n*q2 print("{} = {} * ({}) + {} * ({})".format(r1,a,p1,b,q1)) EEA(26513, 32321)</code></pre> <p><figure class="imageblock alignCenter" data-ke-mobileStyle="widthOrigin" data-origin-width="995" data-origin-height="228"><span data-url="https://blog.kakaocdn.net/dn/s8JBZ/btsoeAybFB3/dy1G4GlJraWXbgNH44WzH0/img.png" data-phocus="https://blog.kakaocdn.net/dn/s8JBZ/btsoeAybFB3/dy1G4GlJraWXbgNH44WzH0/img.png"><img src="https://blog.kakaocdn.net/dn/s8JBZ/btsoeAybFB3/dy1G4GlJraWXbgNH44WzH0/img.png" srcset="https://img1.daumcdn.net/thumb/R1280x0/?scode=mtistory2&fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2Fs8JBZ%2FbtsoeAybFB3%2Fdy1G4GlJraWXbgNH44WzH0%2Fimg.png" onerror="this.onerror=null; this.src='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png'; this.srcset='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png';" loading="lazy" width="995" height="228" data-origin-width="995" data-origin-height="228"/></span></figure> </p> <p data-ke-size="size16">-8404</p> <p data-ke-size="size16">&nbsp;</p> <p data-ke-size="size16">Modular&nbsp;Arithmetic&nbsp;1</p> <p><figure class="imageblock alignCenter" data-ke-mobileStyle="widthOrigin" data-origin-width="995" data-origin-height="279"><span data-url="https://blog.kakaocdn.net/dn/YoxMC/btsoe0DqzRZ/czUD8iA0fKDYSfN2FclVJ1/img.png" data-phocus="https://blog.kakaocdn.net/dn/YoxMC/btsoe0DqzRZ/czUD8iA0fKDYSfN2FclVJ1/img.png"><img src="https://blog.kakaocdn.net/dn/YoxMC/btsoe0DqzRZ/czUD8iA0fKDYSfN2FclVJ1/img.png" srcset="https://img1.daumcdn.net/thumb/R1280x0/?scode=mtistory2&fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FYoxMC%2Fbtsoe0DqzRZ%2FczUD8iA0fKDYSfN2FclVJ1%2Fimg.png" onerror="this.onerror=null; this.src='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png'; this.srcset='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png';" loading="lazy" width="995" height="279" data-origin-width="995" data-origin-height="279"/></span></figure> </p> <p data-ke-size="size16">두 수중 작은 값이므로 4</p> <p data-ke-size="size16">&nbsp;</p> <p data-ke-size="size16">Modular&nbsp;Arithmetic&nbsp;2</p> <p data-ke-size="size16">a^(p-1) mod p를 계산하고 a와 p는 서로소이므로 정답은 1이다.</p> <p data-ke-size="size16">&nbsp;</p> <p data-ke-size="size16">Modular&nbsp;Inverting</p> <p data-ke-size="size16">3의 mod 13에 대한 잉여역수를 계산하라고 한다. 3의 11승을 계산하면 된다. =&gt; 9</p> <p><figure class="imageblock alignCenter" data-ke-mobileStyle="widthOrigin" data-origin-width="995" data-origin-height="262"><span data-url="https://blog.kakaocdn.net/dn/cksAsZ/btsog0WGSED/gnzSNIWBpChbenv8BhwFBK/img.png" data-phocus="https://blog.kakaocdn.net/dn/cksAsZ/btsog0WGSED/gnzSNIWBpChbenv8BhwFBK/img.png"><img src="https://blog.kakaocdn.net/dn/cksAsZ/btsog0WGSED/gnzSNIWBpChbenv8BhwFBK/img.png" srcset="https://img1.daumcdn.net/thumb/R1280x0/?scode=mtistory2&fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FcksAsZ%2Fbtsog0WGSED%2FgnzSNIWBpChbenv8BhwFBK%2Fimg.png" onerror="this.onerror=null; this.src='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png'; this.srcset='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png';" loading="lazy" width="995" height="262" data-origin-width="995" data-origin-height="262"/></span></figure> </p> <p data-ke-size="size16">&nbsp;</p> <h4 data-ke-size="size20">Data Formats</h4> <p data-ke-size="size16">Privacy-Enhanced Mail?</p> <pre id="code_1689778570499" class="python" data-ke-language="python" data-ke-type="codeblock"><code>from Crypto.PublicKey import RSA s = open("privacy_enhanced_mail.pem",'r').read() k = RSA.import_key(s) print(k.d)</code></pre> <p><figure class="imageblock alignCenter" data-ke-mobileStyle="widthOrigin" data-origin-width="995" data-origin-height="262"><span data-url="https://blog.kakaocdn.net/dn/A2eqr/btsobbyK5bv/HPVSKodrjqp5hgG6rnJ99K/img.png" data-phocus="https://blog.kakaocdn.net/dn/A2eqr/btsobbyK5bv/HPVSKodrjqp5hgG6rnJ99K/img.png"><img src="https://blog.kakaocdn.net/dn/A2eqr/btsobbyK5bv/HPVSKodrjqp5hgG6rnJ99K/img.png" srcset="https://img1.daumcdn.net/thumb/R1280x0/?scode=mtistory2&fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FA2eqr%2FbtsobbyK5bv%2FHPVSKodrjqp5hgG6rnJ99K%2Fimg.png" onerror="this.onerror=null; this.src='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png'; this.srcset='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png';" loading="lazy" width="995" height="262" data-origin-width="995" data-origin-height="262"/></span></figure> </p> <p data-ke-size="size16">&nbsp;</p> <p data-ke-size="size16">CERTainly not</p> <pre id="code_1689778884348" class="python" data-ke-language="python" data-ke-type="codeblock"><code>import ssl from Crypto.PublicKey import RSA db = open("2048b-rsa-example-cert.der",'rb').read() pem = ssl.DER_cert_to_PEM_cert(db) k = RSA.import_key(pem) print(k.n)</code></pre> <p><figure class="imageblock alignCenter" data-ke-mobileStyle="widthOrigin" data-origin-width="995" data-origin-height="262"><span data-url="https://blog.kakaocdn.net/dn/bp2cvn/btsog1H3ghT/worTGq7kvS7VTRHzvn50tk/img.png" data-phocus="https://blog.kakaocdn.net/dn/bp2cvn/btsog1H3ghT/worTGq7kvS7VTRHzvn50tk/img.png"><img src="https://blog.kakaocdn.net/dn/bp2cvn/btsog1H3ghT/worTGq7kvS7VTRHzvn50tk/img.png" srcset="https://img1.daumcdn.net/thumb/R1280x0/?scode=mtistory2&fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2Fbp2cvn%2Fbtsog1H3ghT%2FworTGq7kvS7VTRHzvn50tk%2Fimg.png" onerror="this.onerror=null; this.src='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png'; this.srcset='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png';" loading="lazy" width="995" height="262" data-origin-width="995" data-origin-height="262"/></span></figure> </p> <p data-ke-size="size16">SSH Keys</p> <pre id="code_1689779233429" class="python" data-ke-language="python" data-ke-type="codeblock"><code>from Crypto.PublicKey import RSA t = open("bruce_rsa.pub",'r').read() k = RSA.import_key(t) print(k.n)</code></pre> <p><figure class="imageblock alignCenter" data-ke-mobileStyle="widthOrigin" data-origin-width="995" data-origin-height="313"><span data-url="https://blog.kakaocdn.net/dn/bIA0hR/btsogYEG68N/7S6BVcp4BcPEB2pnwaDJXk/img.png" data-phocus="https://blog.kakaocdn.net/dn/bIA0hR/btsogYEG68N/7S6BVcp4BcPEB2pnwaDJXk/img.png"><img src="https://blog.kakaocdn.net/dn/bIA0hR/btsogYEG68N/7S6BVcp4BcPEB2pnwaDJXk/img.png" srcset="https://img1.daumcdn.net/thumb/R1280x0/?scode=mtistory2&fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FbIA0hR%2FbtsogYEG68N%2F7S6BVcp4BcPEB2pnwaDJXk%2Fimg.png" onerror="this.onerror=null; this.src='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png'; this.srcset='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png';" loading="lazy" width="995" height="313" data-origin-width="995" data-origin-height="313"/></span></figure> </p> <p data-ke-size="size16">Transparency</p> <p><figure class="imageblock alignCenter" data-ke-mobileStyle="widthOrigin" data-origin-width="1920" data-origin-height="1033"><span data-url="https://blog.kakaocdn.net/dn/HhG7u/btsoftMc6tC/XpEoYFgJynynD5sJaQyH2K/img.png" data-phocus="https://blog.kakaocdn.net/dn/HhG7u/btsoftMc6tC/XpEoYFgJynynD5sJaQyH2K/img.png"><img src="https://blog.kakaocdn.net/dn/HhG7u/btsoftMc6tC/XpEoYFgJynynD5sJaQyH2K/img.png" srcset="https://img1.daumcdn.net/thumb/R1280x0/?scode=mtistory2&fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FHhG7u%2FbtsoftMc6tC%2FXpEoYFgJynynD5sJaQyH2K%2Fimg.png" onerror="this.onerror=null; this.src='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png'; this.srcset='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png';" loading="lazy" width="1920" height="1033" data-origin-width="1920" data-origin-height="1033"/></span></figure> </p> <p data-ke-size="size16"><a href="https://thetransparencyflagishere.cryptohack.org/" target="_blank" rel="noopener">https://thetransparencyflagishere.cryptohack.org/</a></p> <p data-ke-size="size16">에 접속하면 플래그가 나온다.</p> <p data-ke-size="size16">&nbsp;</p> <p data-ke-size="size16">crypto{thx_redpwn_for_inspiration}</p> Study/Hacking dys4nt https://dys4nt.tistory.com/51 https://dys4nt.tistory.com/51#entry51comment Thu, 20 Jul 2023 00:19:33 +0900 [HackTheBox] Templated https://dys4nt.tistory.com/47 <p data-ke-size="size16">간단한 SSTI로 풀리는 문제이다.</p> <p data-ke-size="size16">&nbsp;</p> <p><figure class="imageblock alignCenter" data-ke-mobileStyle="widthOrigin" data-origin-width="533" data-origin-height="177"><span data-url="https://blog.kakaocdn.net/dn/byafII/btsnukvYEFa/tX0y3RsiKKVNHqgrbVJ9Kk/img.png" data-phocus="https://blog.kakaocdn.net/dn/byafII/btsnukvYEFa/tX0y3RsiKKVNHqgrbVJ9Kk/img.png"><img src="https://blog.kakaocdn.net/dn/byafII/btsnukvYEFa/tX0y3RsiKKVNHqgrbVJ9Kk/img.png" srcset="https://img1.daumcdn.net/thumb/R1280x0/?scode=mtistory2&fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FbyafII%2FbtsnukvYEFa%2FtX0y3RsiKKVNHqgrbVJ9Kk%2Fimg.png" onerror="this.onerror=null; this.src='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png'; this.srcset='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png';" loading="lazy" width="533" height="177" data-origin-width="533" data-origin-height="177"/></span></figure> </p> <p data-ke-size="size16">주어진 사이트에 접속하자마자 flask/jinja2로 개발되었다고 대놓고 SSTI 냄새를 풍긴다. 문제 이름도 templated이다.</p> <p data-ke-size="size16">아무 문자나 쳐서 사이트에 접속하면</p> <p><figure class="imageblock alignCenter" data-ke-mobileStyle="widthOrigin" data-origin-width="543" data-origin-height="194"><span data-url="https://blog.kakaocdn.net/dn/dHvQmH/btsnvIXsSqZ/UZ02XIO0Ox8PKBkczq8iRk/img.png" data-phocus="https://blog.kakaocdn.net/dn/dHvQmH/btsnvIXsSqZ/UZ02XIO0Ox8PKBkczq8iRk/img.png"><img src="https://blog.kakaocdn.net/dn/dHvQmH/btsnvIXsSqZ/UZ02XIO0Ox8PKBkczq8iRk/img.png" srcset="https://img1.daumcdn.net/thumb/R1280x0/?scode=mtistory2&fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FdHvQmH%2FbtsnvIXsSqZ%2FUZ02XIO0Ox8PKBkczq8iRk%2Fimg.png" onerror="this.onerror=null; this.src='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png'; this.srcset='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png';" loading="lazy" width="543" height="194" data-origin-width="543" data-origin-height="194"/></span></figure> </p> <p data-ke-size="size16">Error 404사이트가 뜨면서 page '입력한 문자열'이 발견되지 않았다고 나온다.</p> <p data-ke-size="size16">&nbsp;</p> <p data-ke-size="size16">{{1+1}}을 대입하면 The page '2' could not be found가 나오면서 SSTI가 터진다.</p> <p data-ke-size="size16">&nbsp;</p> <p data-ke-size="size16">아무런 보안기법도 걸려있지 않으므로 ''.__class__.__mro__[1].__subclasses__()에서 subprocess.Popen을 실행시켜주면 된다.</p> <p data-ke-size="size16">&nbsp;</p> <p data-ke-size="size16">/%7B%7B''.__class__.__mro__[1].__subclasses__()[414]('cat%20flag.txt',shell=True,stdout=-1).communicate()%7D%7D</p> <p data-ke-size="size16">&nbsp;</p> <p><figure class="imageblock alignCenter" data-ke-mobileStyle="widthOrigin" data-origin-width="1092" data-origin-height="205"><span data-url="https://blog.kakaocdn.net/dn/bEKTob/btsnvuZt6Oq/0woOanGbnHpXxXD7Zb80dK/img.png" data-phocus="https://blog.kakaocdn.net/dn/bEKTob/btsnvuZt6Oq/0woOanGbnHpXxXD7Zb80dK/img.png"><img src="https://blog.kakaocdn.net/dn/bEKTob/btsnvuZt6Oq/0woOanGbnHpXxXD7Zb80dK/img.png" srcset="https://img1.daumcdn.net/thumb/R1280x0/?scode=mtistory2&fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FbEKTob%2FbtsnvuZt6Oq%2F0woOanGbnHpXxXD7Zb80dK%2Fimg.png" onerror="this.onerror=null; this.src='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png'; this.srcset='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png';" loading="lazy" width="1092" height="205" data-origin-width="1092" data-origin-height="205"/></span></figure> </p> <p data-ke-size="size16"><span style="color: #000000; text-align: start;">HTB{t3mpl4t3s_4r3_m0r3_p0w3rfu1_th4n_u_th1nk!}</span></p> Study/Hacking HTB web dys4nt https://dys4nt.tistory.com/47 https://dys4nt.tistory.com/47#entry47comment Thu, 13 Jul 2023 19:11:23 +0900 [pwn.college] Talking Web - level1 https://dys4nt.tistory.com/46 <p data-ke-size="size16">level1</p> <p data-ke-size="size16">&nbsp;</p> <p data-ke-size="size16">curl로 localhost에 요청을 보내면 플래그가 나온다.</p> <p><figure class="imageblock alignLeft" data-ke-mobileStyle="widthOrigin" data-origin-width="426" data-origin-height="66"><span data-url="https://blog.kakaocdn.net/dn/MlGyJ/btsnoikqtQj/8FiHaV4mY3yHdIxzVKuMvk/img.png" data-phocus="https://blog.kakaocdn.net/dn/MlGyJ/btsnoikqtQj/8FiHaV4mY3yHdIxzVKuMvk/img.png"><img src="https://blog.kakaocdn.net/dn/MlGyJ/btsnoikqtQj/8FiHaV4mY3yHdIxzVKuMvk/img.png" srcset="https://img1.daumcdn.net/thumb/R1280x0/?scode=mtistory2&fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FMlGyJ%2FbtsnoikqtQj%2F8FiHaV4mY3yHdIxzVKuMvk%2Fimg.png" onerror="this.onerror=null; this.src='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png'; this.srcset='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png';" loading="lazy" width="426" height="66" data-origin-width="426" data-origin-height="66"/></span></figure> </p> <p data-ke-size="size16">pwn.college{AX02s7xlfOWQFIqbjnyLsvEWJPN.dhjNyMDL3QTNyMzW}</p> Study/Hacking pwn.college web dys4nt https://dys4nt.tistory.com/46 https://dys4nt.tistory.com/46#entry46comment Thu, 13 Jul 2023 10:41:08 +0900 [BoB] ipTIME A3004NS-M 펌웨어 버전 11.99.2 분석 https://dys4nt.tistory.com/45 <h2 data-ke-size="size26">1. 개요</h2> <h4 data-ke-size="size20">1-1. 선택한 펌웨어</h4> <p data-ke-size="size16">먼저 ipTIME 공식 홈페이지에 접속하여서 나의 공유기에 맞는 버전의 펌웨어를 다운받았다.</p> <p data-ke-size="size16">&nbsp;</p> <p><figure class="imageblock alignCenter" data-ke-mobileStyle="widthOrigin" data-filename="화면 캡처 2023-07-10 212057.png" data-origin-width="451" data-origin-height="126"><span data-url="https://blog.kakaocdn.net/dn/GipeB/btsm9vQ7PiN/vvKk6GiXKpuOfoDdzcoje0/img.png" data-phocus="https://blog.kakaocdn.net/dn/GipeB/btsm9vQ7PiN/vvKk6GiXKpuOfoDdzcoje0/img.png"><img src="https://blog.kakaocdn.net/dn/GipeB/btsm9vQ7PiN/vvKk6GiXKpuOfoDdzcoje0/img.png" srcset="https://img1.daumcdn.net/thumb/R1280x0/?scode=mtistory2&fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FGipeB%2Fbtsm9vQ7PiN%2FvvKk6GiXKpuOfoDdzcoje0%2Fimg.png" onerror="this.onerror=null; this.src='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png'; this.srcset='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png';" loading="lazy" width="451" height="126" data-filename="화면 캡처 2023-07-10 212057.png" data-origin-width="451" data-origin-height="126"/></span></figure> </p> <p data-ke-size="size16">선택한 펌웨어는 ipTIME A3004NS-M 공유기의 11.99.2 버전 펌웨어이다.</p> <h4 data-ke-size="size20">1-2. 선택한 이유</h4> <p data-ke-size="size16">이 펌웨어를 선택한 이유로는 최신 버전에서는 .xz파일이 압축 해제되지 않아서 삽질을 하였고, 이하 버전을 찾아보던 중 가장 다운로드 수가 많은 버전이였기 때문이였다.</p> <p data-ke-size="size16">&nbsp;</p> <p data-ke-size="size16">펌웨어를 다운받고 binwalk 명령을 통해서 펌웨어의 구조를 살펴보았다.</p> <p data-ke-size="size16">&nbsp;</p> <h4 data-ke-size="size20">2-1. 펌웨어 리버싱 명령어</h4> <p><figure class="imageblock alignCenter" data-ke-mobileStyle="widthOrigin" data-origin-width="995" data-origin-height="568"><span data-url="https://blog.kakaocdn.net/dn/KiY6U/btsm9CCHuuk/5fzCbr1nzkqlGmW51Bpahk/img.png" data-phocus="https://blog.kakaocdn.net/dn/KiY6U/btsm9CCHuuk/5fzCbr1nzkqlGmW51Bpahk/img.png"><img src="https://blog.kakaocdn.net/dn/KiY6U/btsm9CCHuuk/5fzCbr1nzkqlGmW51Bpahk/img.png" srcset="https://img1.daumcdn.net/thumb/R1280x0/?scode=mtistory2&fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FKiY6U%2Fbtsm9CCHuuk%2F5fzCbr1nzkqlGmW51Bpahk%2Fimg.png" onerror="this.onerror=null; this.src='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png'; this.srcset='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png';" loading="lazy" width="995" height="568" data-origin-width="995" data-origin-height="568"/></span></figure> </p> <p data-ke-size="size16">파일은 다음과 같은 구성으로 되어있다.</p> <p data-ke-size="size16">0x0 ~ 0x40 uImage 헤더, 리눅스 os의 커널 이미지를 담고 있음.</p> <p data-ke-size="size16">0x40 ~ 0x348769 Squashfs 파일시스템. 리틀 엔디언 구조, 4.0 버전, xz로 압축되었음.</p> <p><figure class="imageblock alignCenter" data-ke-mobileStyle="widthOrigin" data-origin-width="995" data-origin-height="568"><span data-url="https://blog.kakaocdn.net/dn/GHI1s/btsm92VuuOq/sXaB2zYTRmSDmUxr9ezFj0/img.png" data-phocus="https://blog.kakaocdn.net/dn/GHI1s/btsm92VuuOq/sXaB2zYTRmSDmUxr9ezFj0/img.png"><img src="https://blog.kakaocdn.net/dn/GHI1s/btsm92VuuOq/sXaB2zYTRmSDmUxr9ezFj0/img.png" srcset="https://img1.daumcdn.net/thumb/R1280x0/?scode=mtistory2&fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FGHI1s%2Fbtsm92VuuOq%2FsXaB2zYTRmSDmUxr9ezFj0%2Fimg.png" onerror="this.onerror=null; this.src='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png'; this.srcset='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png';" loading="lazy" width="995" height="568" data-origin-width="995" data-origin-height="568"/></span></figure> </p> <p data-ke-size="size16">ARM의 아키텍처가 사용됨.&nbsp;</p> <p data-ke-size="size16">&nbsp;</p> <pre id="code_1688992081021" class="shell" data-ke-language="shell" data-ke-type="codeblock"><code>$ binwalk -e a3004nm_kr_11_992.bin</code></pre> <p data-ke-size="size16">명령어로 extract한 다음 파일시스템을 살펴보았다.</p> <p data-ke-size="size16">&nbsp;</p> <p><figure class="imageblock alignCenter" data-ke-mobileStyle="widthOrigin" data-origin-width="995" data-origin-height="568"><span data-url="https://blog.kakaocdn.net/dn/FGA57/btsm8PbyOg7/uu8sI8DVJz5Gy1cCKlNZn1/img.png" data-phocus="https://blog.kakaocdn.net/dn/FGA57/btsm8PbyOg7/uu8sI8DVJz5Gy1cCKlNZn1/img.png"><img src="https://blog.kakaocdn.net/dn/FGA57/btsm8PbyOg7/uu8sI8DVJz5Gy1cCKlNZn1/img.png" srcset="https://img1.daumcdn.net/thumb/R1280x0/?scode=mtistory2&fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FFGA57%2Fbtsm8PbyOg7%2Fuu8sI8DVJz5Gy1cCKlNZn1%2Fimg.png" onerror="this.onerror=null; this.src='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png'; this.srcset='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png';" loading="lazy" width="995" height="568" data-origin-width="995" data-origin-height="568"/></span></figure> </p> <p data-ke-size="size16">리눅스 파일시스템의 형태를 띄고 있다.</p> <p data-ke-size="size16">여기서 ipTIME 공유기에 접속하면 .cgi 확장자로 된 url 링크에 접속하는 것을 확인할 수 있는데, 이로써 /cgibin 디렉토리에 중요한 파일들이 모여있을 것으로 추측하였다.</p> <p data-ke-size="size16">&nbsp;</p> <p><figure class="imageblock alignCenter" data-ke-mobileStyle="widthOrigin" data-origin-width="995" data-origin-height="568"><span data-url="https://blog.kakaocdn.net/dn/bGdFko/btsnbIvrXLp/fokyTY5j1m3ENmutnBkWs0/img.png" data-phocus="https://blog.kakaocdn.net/dn/bGdFko/btsnbIvrXLp/fokyTY5j1m3ENmutnBkWs0/img.png"><img src="https://blog.kakaocdn.net/dn/bGdFko/btsnbIvrXLp/fokyTY5j1m3ENmutnBkWs0/img.png" srcset="https://img1.daumcdn.net/thumb/R1280x0/?scode=mtistory2&fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FbGdFko%2FbtsnbIvrXLp%2FfokyTY5j1m3ENmutnBkWs0%2Fimg.png" onerror="this.onerror=null; this.src='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png'; this.srcset='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png';" loading="lazy" width="995" height="568" data-origin-width="995" data-origin-height="568"/></span></figure> </p> <p data-ke-size="size16">예상대로 여러 중요한 파일들로 구성되어 있었다.</p> <p data-ke-size="size16">&nbsp;</p> <p data-ke-size="size16">home 디렉토리에는 httpd라는 사용자가 생성되어있었다.</p> <p><figure class="imageblock alignCenter" data-ke-mobileStyle="widthOrigin" data-origin-width="986" data-origin-height="704"><span data-url="https://blog.kakaocdn.net/dn/c4PtO6/btsm9gfzVbk/5nkkHURhNFRdJXvwYESWJk/img.png" data-phocus="https://blog.kakaocdn.net/dn/c4PtO6/btsm9gfzVbk/5nkkHURhNFRdJXvwYESWJk/img.png"><img src="https://blog.kakaocdn.net/dn/c4PtO6/btsm9gfzVbk/5nkkHURhNFRdJXvwYESWJk/img.png" srcset="https://img1.daumcdn.net/thumb/R1280x0/?scode=mtistory2&fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2Fc4PtO6%2Fbtsm9gfzVbk%2F5nkkHURhNFRdJXvwYESWJk%2Fimg.png" onerror="this.onerror=null; this.src='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png'; this.srcset='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png';" loading="lazy" width="986" height="704" data-origin-width="986" data-origin-height="704"/></span></figure> </p> <p data-ke-size="size16">bin 디렉토리를 살펴보면&nbsp;</p> <p><figure class="imageblock alignCenter" data-ke-mobileStyle="widthOrigin" data-origin-width="1920" data-origin-height="1033"><span data-url="https://blog.kakaocdn.net/dn/bxwu3k/btsm8KnYhcH/xhgV7KYJCfKwTMTK0ugBp1/img.png" data-phocus="https://blog.kakaocdn.net/dn/bxwu3k/btsm8KnYhcH/xhgV7KYJCfKwTMTK0ugBp1/img.png"><img src="https://blog.kakaocdn.net/dn/bxwu3k/btsm8KnYhcH/xhgV7KYJCfKwTMTK0ugBp1/img.png" srcset="https://img1.daumcdn.net/thumb/R1280x0/?scode=mtistory2&fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2Fbxwu3k%2Fbtsm8KnYhcH%2FxhgV7KYJCfKwTMTK0ugBp1%2Fimg.png" onerror="this.onerror=null; this.src='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png'; this.srcset='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png';" loading="lazy" width="1920" height="1033" data-origin-width="1920" data-origin-height="1033"/></span></figure> </p> <p data-ke-size="size16">busybox라는 파일에 연결되어있음을 확인할 수 있는데, 공유기에서 busybox라는 소프트웨어가 사용됨을 처음으로 알게 되었다.</p> <p data-ke-size="size16">&nbsp;</p> <h4 data-ke-size="size20">2-2. 펌웨어 구성 설명</h4> <p data-ke-size="size16">?</p> <p data-ke-size="size16">&nbsp;</p> <h4 data-ke-size="size20">3-1. bash 실행 방법</h4> <p data-ke-size="size16">쉘을 실행하기 위해서 ./bin/sh 파일의 아키텍를 살펴보기로 했다.</p> <p><figure class="imageblock alignCenter" data-ke-mobileStyle="widthOrigin" data-origin-width="995" data-origin-height="568"><span data-url="https://blog.kakaocdn.net/dn/c5V0tT/btsnaSUwt5k/0XLbXUhg2sIIibNkVuFodK/img.png" data-phocus="https://blog.kakaocdn.net/dn/c5V0tT/btsnaSUwt5k/0XLbXUhg2sIIibNkVuFodK/img.png"><img src="https://blog.kakaocdn.net/dn/c5V0tT/btsnaSUwt5k/0XLbXUhg2sIIibNkVuFodK/img.png" srcset="https://img1.daumcdn.net/thumb/R1280x0/?scode=mtistory2&fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2Fc5V0tT%2FbtsnaSUwt5k%2F0XLbXUhg2sIIibNkVuFodK%2Fimg.png" onerror="this.onerror=null; this.src='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png'; this.srcset='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png';" loading="lazy" width="995" height="568" data-origin-width="995" data-origin-height="568"/></span></figure> </p> <p data-ke-size="size16">MIPS R3000 머신이라 나와있다. mips 아키텍로 구동되는 파일을 실행하기 위해서 qemu-user-static 패키지를 설치하였고, /usr/bin 디렉토리에 있는 qemu-mipsel-static을 펌웨어의 / 디렉토리로 복사하였다.</p> <p data-ke-size="size16">&nbsp;</p> <p data-ke-size="size16">그 다음 chroot을 이용해서 / 디렉토리를 새롭게 정의한 상태로 /bin/sh 파일을 실행하였고 쉘을 실행할 수 있었다.</p> <p data-ke-size="size16">&nbsp;</p> <p><figure class="imageblock alignCenter" data-ke-mobileStyle="widthOrigin" data-origin-width="995" data-origin-height="568"><span data-url="https://blog.kakaocdn.net/dn/dIliMx/btsnhtMgJkn/vcJ3LondGQhFvprwGAIgx0/img.png" data-phocus="https://blog.kakaocdn.net/dn/dIliMx/btsnhtMgJkn/vcJ3LondGQhFvprwGAIgx0/img.png"><img src="https://blog.kakaocdn.net/dn/dIliMx/btsnhtMgJkn/vcJ3LondGQhFvprwGAIgx0/img.png" srcset="https://img1.daumcdn.net/thumb/R1280x0/?scode=mtistory2&fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FdIliMx%2FbtsnhtMgJkn%2FvcJ3LondGQhFvprwGAIgx0%2Fimg.png" onerror="this.onerror=null; this.src='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png'; this.srcset='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png';" loading="lazy" width="995" height="568" data-origin-width="995" data-origin-height="568"/></span></figure> <figure class="imageblock alignCenter" data-ke-mobileStyle="widthOrigin" data-origin-width="995" data-origin-height="568"><span data-url="https://blog.kakaocdn.net/dn/ddoJe6/btsngUDxqio/48YJ4goi1CEKE5talx5K80/img.png" data-phocus="https://blog.kakaocdn.net/dn/ddoJe6/btsngUDxqio/48YJ4goi1CEKE5talx5K80/img.png"><img src="https://blog.kakaocdn.net/dn/ddoJe6/btsngUDxqio/48YJ4goi1CEKE5talx5K80/img.png" srcset="https://img1.daumcdn.net/thumb/R1280x0/?scode=mtistory2&fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FddoJe6%2FbtsngUDxqio%2F48YJ4goi1CEKE5talx5K80%2Fimg.png" onerror="this.onerror=null; this.src='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png'; this.srcset='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png';" loading="lazy" width="995" height="568" data-origin-width="995" data-origin-height="568"/></span></figure> </p> <h4 data-ke-size="size20">3-2. 주요 발견 사항</h4> <p><figure class="imageblock alignCenter" data-ke-mobileStyle="widthOrigin" data-origin-width="1920" data-origin-height="1033"><span data-url="https://blog.kakaocdn.net/dn/cmpcYv/btsng9f7ZoC/qb0jpkQmSuSsf3Y4ttBwok/img.png" data-phocus="https://blog.kakaocdn.net/dn/cmpcYv/btsng9f7ZoC/qb0jpkQmSuSsf3Y4ttBwok/img.png"><img src="https://blog.kakaocdn.net/dn/cmpcYv/btsng9f7ZoC/qb0jpkQmSuSsf3Y4ttBwok/img.png" srcset="https://img1.daumcdn.net/thumb/R1280x0/?scode=mtistory2&fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FcmpcYv%2Fbtsng9f7ZoC%2Fqb0jpkQmSuSsf3Y4ttBwok%2Fimg.png" onerror="this.onerror=null; this.src='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png'; this.srcset='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png';" loading="lazy" width="1920" height="1033" data-origin-width="1920" data-origin-height="1033"/></span></figure> </p> <p data-ke-size="size16">show_debug_screen 함수에서 디버깅에 사용되는 숨겨진 코드를 발견하였다.</p> <p data-ke-size="size16">&nbsp;</p> <pre id="code_1689070409251" class="cpp" data-ke-language="cpp" data-ke-type="codeblock"><code>int __fastcall show_debug_screen(int a1) { int result; // $v0 bool v3; // dc int v4; // $s0 int v5; // $s1 int v6; // $s1 char v7[32]; // [sp+18h] [-4A4h] BYREF char v8[128]; // [sp+38h] [-484h] BYREF char v9[6]; // [sp+B8h] [-404h] BYREF char v10; // [sp+BEh] [-3FEh] char v11; // [sp+BFh] [-3FDh] char v12; // [sp+C0h] [-3FCh] char v13; // [sp+C1h] [-3FBh] char v14; // [sp+C2h] [-3FAh] char v15; // [sp+C3h] [-3F9h] char v16; // [sp+C4h] [-3F8h] char v17; // [sp+C5h] [-3F7h] char v18; // [sp+C6h] [-3F6h] char v19; // [sp+C7h] [-3F5h] char v20; // [sp+C8h] [-3F4h] char v21[256]; // [sp+1B8h] [-304h] BYREF char v22[516]; // [sp+2B8h] [-204h] BYREF result = get_remote_support(); if ( result ) { result = check_default_pass(); if ( !result ) { strcpy(v9, ""); if ( !get_value(a1, "act", v7, 32) ) goto LABEL_50; if ( strcmp(v7, "1") ) goto LABEL_50; v3 = get_value(a1, "aaksjdkfj", v9, 256) == 0; result = 33; if ( !v3 ) { result = 64; if ( v9[0] == 33 ) { result = 100; if ( v9[1] == 64 ) { result = 110; if ( v9[2] == 100 ) { result = 106; if ( v9[3] == 110 ) { result = 115; if ( v9[4] == 106 ) { result = 114; if ( v9[5] == 115 ) { result = 117; if ( v10 == 114 &amp;&amp; v11 == 117 ) { result = v12; if ( v12 == v10 &amp;&amp; v13 == 101 &amp;&amp; v14 == 108 &amp;&amp; v15 == 113 &amp;&amp; v16 == 106 ) { result = 109; if ( v17 == v12 ) { result = 42; if ( v18 == 109 ) { result = 38; if ( v19 == 42 &amp;&amp; v20 == 38 ) { LABEL_50: if ( get_value(a1, "act", v7, 32) &amp;&amp; !strcmp(v7, "1") &amp;&amp; get_value(a1, "fdump", v7, 32) &amp;&amp; !strcmp(v7, "on") ) { result = get_value(a1, "fname", v8, 128); if ( result ) { v4 = fopen(v8, "r"); if ( v4 ) { while ( fgets(v22, 256, v4) ) printf("%s", v22); return fclose(v4); } else { return puts("file open error!"); } } } else { puts("&lt;html&gt;"); puts("&lt;br&gt;&lt;br&gt;&lt;center&gt;"); puts("&lt;form method=get action=\"d.cgi\" name=\"dform\"&gt;"); printf("&lt;input type=hidden name=act value=1&gt;"); puts( "File Name : &lt;input type=text name=\"fname\" value=\"\" size=50 maxlength=120&gt;&lt;br&gt;&lt;br&gt;"); puts( "Command Name : &lt;input type=text name=\"cmd\" value=\"\" size=64 maxlength=256&gt;&lt;br&gt;&lt;br&gt;"); printf( "&lt;input type=text name=\"aaksjdkfj\" value=\"%s\" size=64 maxlength=256&gt;&lt;br&gt;&lt;br&gt;\n", v9); puts("&lt;input type=submit name=\"dapply\" value=\" Show \"&gt;"); puts("&lt;/form&gt;"); puts("&lt;/center&gt;&lt;br&gt;&lt;br&gt;"); result = get_value(a1, "act", v7, 32); if ( result ) { result = strcmp(v7, "1"); if ( !result ) { if ( get_value(a1, "fname", v8, 128) ) { v5 = fopen(v8, "r"); if ( v5 ) { while ( fgets(v22, 256, v5) ) printf("&lt;font size=-1&gt;%s&lt;/font&gt;&lt;br&gt;\n", v22); fclose(v5); } else { puts("file open error!"); } } result = get_value(a1, "cmd", v21, 256); if ( result ) { printf("&lt;b&gt;command = %s&lt;/b&gt;&lt;br&gt;&lt;br&gt;", v21); snprintf(v22, 512, "%s &gt;&gt; /var/run/cmd_temp", v21); system(v22); v6 = fopen("/var/run/cmd_temp", "r"); if ( v6 ) { while ( fgets(v22, 256, v6) ) printf("&lt;font size=-1&gt;%s&lt;/font&gt;&lt;br&gt;\n", v22); fclose(v6); } return unlink("/var/run/cmd_temp"); } } } } } } } } } } } } } } } } } } return result; }</code></pre> <p data-ke-size="size16">계속 변수를 숫자와 비교하는 것으로 보아 문자열의 각 값을 비교하는 것이라 추측하고 다음과 같은 코드를 작성하였다.</p> <p data-ke-size="size16">&nbsp;</p> <pre id="code_1689070673287" class="cpp" data-ke-language="cpp" data-ke-type="codeblock"><code>li = [33,64,100,110,106,115,114,117,114,101,108,113,106,114,109,42,38] s = "" for num in li: s += chr(num) print(s)</code></pre> <p data-ke-size="size16">이 코드의 실행결과는 아래와 같으며, dnjsrurelqjrm는 원격디버그를 영어로 친 것이다.</p> <p><figure class="imageblock alignCenter" data-ke-mobileStyle="widthOrigin" data-origin-width="995" data-origin-height="211"><span data-url="https://blog.kakaocdn.net/dn/pylj8/btsnheBLXMU/zJiMXHcilTCQgy56JJCNWK/img.png" data-phocus="https://blog.kakaocdn.net/dn/pylj8/btsnheBLXMU/zJiMXHcilTCQgy56JJCNWK/img.png"><img src="https://blog.kakaocdn.net/dn/pylj8/btsnheBLXMU/zJiMXHcilTCQgy56JJCNWK/img.png" srcset="https://img1.daumcdn.net/thumb/R1280x0/?scode=mtistory2&fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2Fpylj8%2FbtsnheBLXMU%2FzJiMXHcilTCQgy56JJCNWK%2Fimg.png" onerror="this.onerror=null; this.src='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png'; this.srcset='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png';" loading="lazy" width="995" height="211" data-origin-width="995" data-origin-height="211"/></span></figure> </p> <p data-ke-size="size16">get 방식으로 aaksjdkfj 인자가 !@dnjsrurelqjrm*&amp;일 경우 디버거가 실행되는 것으로 보인다.</p> <p data-ke-size="size16">&nbsp;</p> <h4 data-ke-size="size20">3-3. 로컬에서 웹 서버 실행 및 login gui 접속</h4> <p data-ke-size="size16">인터넷 글을 참조하여서 이 환경을 실행하려고 시도해보았다.</p> <p data-ke-size="size16">&nbsp;</p> <p data-ke-size="size16">QEMU로 가상환경을 실행한 다음, SSH, HTTP 포트를 4022, 4080으로 포트포워딩한다. SSH로 /squashfs-root 디렉토리를 압축한 squashfs-root.tar 파일을 전송한 다음 압축해제한다. 그 다음 펌웨어를 정상적으로 실행할 수 있도록 루트 위치를 바꿔준다.</p> <p data-ke-size="size16">&nbsp;</p> <p data-ke-size="size16">그러나 이 과정에서 계속 오류가 발생하여서 제대로 구현하지는 못하였다.</p> <p data-ke-size="size16">&nbsp;</p> <h2 data-ke-size="size26">4. 결론</h2> <h4 data-ke-size="size20">4-1. 배운점</h4> <p data-ke-size="size16">펌웨어의 구조에 대해서 공부해보고 직접 실습하는 계기를 가졌다. 이 과정에서 x86-64가 아닌 다른 아키텍처에 대해서 접하면서 기존의 명령어가 아닌 새로운 명령어에 대해 접하면서 새로운 언어를 공부하는 것과 같은 느낌이 들었다.</p> <p data-ke-size="size16">&nbsp;</p> <p data-ke-size="size16">binwalk의 사용법에 대해서도 배우면서 포렌식에 대해서 자세히 알게 된 것 같다. 또한 다른 아키텍처로 만들어진 코드를 x86-64에서 실행하는 라이브러리에 대해서 배웠다. 마지막으로 IDA Pro의 중요성에 대해서 배우게 되었다.</p> <p data-ke-size="size16">&nbsp;</p> <h4 data-ke-size="size20">4-2. 앞으로?</h4> <p data-ke-size="size16">리눅스 커널 및 부트로더, 파일시스템에 대해서 자세히 배워야겠다. qemu로 가상환경을 구성하면서 커널 파일, HDA에 대해서 배우게 되었다. 커널에 대해서 다른 수업에서도 배우게 되었는데 커널에 대해서 많은 관심을 가지게 되어서 잘 배울 수 있을 것 같다. 또한 리눅스에 대해서 정말 아는 것이 많이 없다는 느낌이 들었고, 기존에 사용하던 여러 명령어들이 아닌 새로운 binwalk. chroot, readelf과 같은 명령어들을 사용해보면서 새로움을 느꼈다. 리눅스 마스터를 따고 싶다는 생각이 들었다. 마지막으로 하드웨어 속 소프트웨어 코드를 직접 리버싱 해본적이 처음이였는데 내 주변 여러 기기들의 펌웨어를 분석해서 IoT 기기들을 직접 해킹해보고 싶다.</p> <p data-ke-size="size16">&nbsp;</p> Study/Hacking dys4nt https://dys4nt.tistory.com/45 https://dys4nt.tistory.com/45#entry45comment Tue, 11 Jul 2023 19:56:29 +0900 [cryptohack.org] Introduction https://dys4nt.tistory.com/44 <p data-ke-size="size16">Finding Flags</p> <p data-ke-size="size16">플래그가 그냥 주어진다.</p> <p data-ke-size="size16">&nbsp;</p> <p data-ke-size="size16">crypto{y0ur_f1rst_fl4g}</p> <p data-ke-size="size16">&nbsp;</p> <p data-ke-size="size16">Great Snakes</p> <p data-ke-size="size16">&nbsp;</p> <p data-ke-size="size16">great_snakes.py라는 파일이 주어지는데, wget을 이용해서 파일을 받은 다음 실행하면 플래그가 나온다.</p> <p data-ke-size="size16">&nbsp;</p> <p><figure class="imageblock alignCenter" data-ke-mobileStyle="widthOrigin" data-origin-width="995" data-origin-height="568"><span data-url="https://blog.kakaocdn.net/dn/ca3F4W/btsm8Q9w2ko/bIXog2HPYWJ5G8J8ig7xz1/img.png" data-phocus="https://blog.kakaocdn.net/dn/ca3F4W/btsm8Q9w2ko/bIXog2HPYWJ5G8J8ig7xz1/img.png"><img src="https://blog.kakaocdn.net/dn/ca3F4W/btsm8Q9w2ko/bIXog2HPYWJ5G8J8ig7xz1/img.png" srcset="https://img1.daumcdn.net/thumb/R1280x0/?scode=mtistory2&fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2Fca3F4W%2Fbtsm8Q9w2ko%2FbIXog2HPYWJ5G8J8ig7xz1%2Fimg.png" onerror="this.onerror=null; this.src='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png'; this.srcset='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png';" loading="lazy" width="995" height="568" data-origin-width="995" data-origin-height="568"/></span></figure> </p> <p data-ke-size="size16">crypto{z3n_0f_pyth0n}</p> <p data-ke-size="size16">&nbsp;</p> <p data-ke-size="size16">Network Attacks</p> <p data-ke-size="size16">&nbsp;</p> <p data-ke-size="size16">nc을 이용해서 접속한 다음 JSON 데이터를 입력해서 보내면 플래그가 나온다.</p> <p data-ke-size="size16">&nbsp;</p> <p><figure class="imageblock alignCenter" data-ke-mobileStyle="widthOrigin" data-origin-width="995" data-origin-height="568"><span data-url="https://blog.kakaocdn.net/dn/dpgAyx/btsm2IYJrl7/Lnk9YMKX2kZkAGNoT1LTG1/img.png" data-phocus="https://blog.kakaocdn.net/dn/dpgAyx/btsm2IYJrl7/Lnk9YMKX2kZkAGNoT1LTG1/img.png"><img src="https://blog.kakaocdn.net/dn/dpgAyx/btsm2IYJrl7/Lnk9YMKX2kZkAGNoT1LTG1/img.png" srcset="https://img1.daumcdn.net/thumb/R1280x0/?scode=mtistory2&fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FdpgAyx%2Fbtsm2IYJrl7%2FLnk9YMKX2kZkAGNoT1LTG1%2Fimg.png" onerror="this.onerror=null; this.src='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png'; this.srcset='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png';" loading="lazy" width="995" height="568" data-origin-width="995" data-origin-height="568"/></span></figure> </p> <p data-ke-size="size16">crypto{sh0pp1ng_f0r_fl4g5}</p> Study/Hacking Crypto cryptohack.org dys4nt https://dys4nt.tistory.com/44 https://dys4nt.tistory.com/44#entry44comment Tue, 11 Jul 2023 09:43:50 +0900 [BOJ/백준][Rust] 1008 A/B https://dys4nt.tistory.com/35 <p data-ke-size="size16">f32로 제출하면 오차범위에 의해서 틀렸다고 채점된다.</p> <div class="colorscripter-code" style="color: #010101; font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace !important; position: relative !important; overflow: auto;"> <table class="colorscripter-code-table" style="margin: 0; padding: 0; border: none; background-color: #fafafa; border-radius: 4px;" cellspacing="0" cellpadding="0" data-ke-align="alignLeft"> <tbody> <tr> <td style="padding: 6px; border-right: 2px solid #e5e5e5;"> <div style="margin: 0; padding: 0; word-break: normal; text-align: right; color: #666; font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace !important; line-height: 130%;"> <div style="line-height: 130%;">1</div> <div style="line-height: 130%;">2</div> <div style="line-height: 130%;">3</div> <div style="line-height: 130%;">4</div> <div style="line-height: 130%;">5</div> <div style="line-height: 130%;">6</div> <div style="line-height: 130%;">7</div> <div style="line-height: 130%;">8</div> <div style="line-height: 130%;">9</div> <div style="line-height: 130%;">10</div> </div> </td> <td style="padding: 6px 0; text-align: left;"> <div style="margin: 0; padding: 0; color: #010101; font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace !important; line-height: 130%;"> <div style="padding: 0 6px; white-space: pre; line-height: 130%;"><span style="color: #0086b3;">use</span>&nbsp;std::io;</div> <div style="padding: 0 6px; white-space: pre; line-height: 130%;">&nbsp;</div> <div style="padding: 0 6px; white-space: pre; line-height: 130%;"><span style="color: #a71d5d;">fn</span>&nbsp;main(){</div> <div style="padding: 0 6px; white-space: pre; line-height: 130%;">&nbsp;&nbsp;&nbsp;&nbsp;<span style="color: #066de2;">let</span>&nbsp;<span style="color: #0086b3;">mut</span>&nbsp;s&nbsp;<span style="color: #ff3399;"></span><span style="color: #a71d5d;">=</span>&nbsp;String::new();</div> <div style="padding: 0 6px; white-space: pre; line-height: 130%;">&nbsp;&nbsp;&nbsp;&nbsp;io::stdin().read_line(<span style="color: #ff3399;"></span><span style="color: #a71d5d;">&amp;</span><span style="color: #0086b3;">mut</span>&nbsp;s).unwrap();</div> <div style="padding: 0 6px; white-space: pre; line-height: 130%;">&nbsp;&nbsp;&nbsp;&nbsp;<span style="color: #066de2;">let</span>&nbsp;li:&nbsp;Vec<span style="color: #ff3399;"></span><span style="color: #a71d5d;">&lt;</span><span style="color: #ff3399;"></span><span style="color: #a71d5d;">&amp;</span>str<span style="color: #ff3399;"></span><span style="color: #a71d5d;">&gt;</span>&nbsp;<span style="color: #ff3399;"></span><span style="color: #a71d5d;">=</span>&nbsp;s.split_whitespace().collect();</div> <div style="padding: 0 6px; white-space: pre; line-height: 130%;">&nbsp;&nbsp;&nbsp;&nbsp;<span style="color: #066de2;">let</span>&nbsp;a&nbsp;<span style="color: #ff3399;"></span><span style="color: #a71d5d;">=</span>&nbsp;li[<span style="color: #0099cc;">0</span>].parse::<span style="color: #ff3399;"></span><span style="color: #a71d5d;">&lt;</span><span style="color: #066de2;">f64</span><span style="color: #a71d5d;">&gt;</span>().unwrap();</div> <div style="padding: 0 6px; white-space: pre; line-height: 130%;">&nbsp;&nbsp;&nbsp;&nbsp;<span style="color: #066de2;">let</span>&nbsp;b&nbsp;<span style="color: #ff3399;"></span><span style="color: #a71d5d;">=</span>&nbsp;li[<span style="color: #0099cc;">1</span>].parse::<span style="color: #ff3399;"></span><span style="color: #a71d5d;">&lt;</span><span style="color: #066de2;">f64</span><span style="color: #a71d5d;">&gt;</span>().unwrap();</div> <div style="padding: 0 6px; white-space: pre; line-height: 130%;">&nbsp;&nbsp;&nbsp;&nbsp;println<span style="color: #ff3399;"></span><span style="color: #a71d5d;">!</span>(<span style="color: #63a35c;">"{}"</span>,a<span style="color: #ff3399;"></span><span style="color: #a71d5d;">/</span>b)</div> <div style="padding: 0 6px; white-space: pre; line-height: 130%;">}</div> </div> <div style="text-align: right; margin-top: -13px; margin-right: 5px; font-size: 9px; font-style: italic;"><a style="color: #e5e5e5text-decoration:none;" href="http://colorscripter.com/info#e" target="_blank" rel="noopener">Colored by Color Scripter</a></div> </td> <td style="vertical-align: bottom; padding: 0 2px 4px 0;"><a style="text-decoration: none; color: white;" href="http://colorscripter.com/info#e" target="_blank" rel="noopener"><span style="font-size: 9px; word-break: normal; background-color: #e5e5e5; color: white; border-radius: 10px; padding: 1px;">cs</span></a></td> </tr> </tbody> </table> </div> <p><figure class="imageblock alignCenter" data-ke-mobileStyle="widthOrigin" data-origin-width="1138" data-origin-height="34"><span data-url="https://blog.kakaocdn.net/dn/cA9zov/btsknuAgYrA/7PGon453kaptR8eRr1Z2IK/img.png" data-phocus="https://blog.kakaocdn.net/dn/cA9zov/btsknuAgYrA/7PGon453kaptR8eRr1Z2IK/img.png"><img src="https://blog.kakaocdn.net/dn/cA9zov/btsknuAgYrA/7PGon453kaptR8eRr1Z2IK/img.png" srcset="https://img1.daumcdn.net/thumb/R1280x0/?scode=mtistory2&fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FcA9zov%2FbtsknuAgYrA%2F7PGon453kaptR8eRr1Z2IK%2Fimg.png" onerror="this.onerror=null; this.src='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png'; this.srcset='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png';" loading="lazy" width="1138" height="34" data-origin-width="1138" data-origin-height="34"/></span></figure> </p> Study/PS PS 백준 dys4nt https://dys4nt.tistory.com/35 https://dys4nt.tistory.com/35#entry35comment Sun, 18 Jun 2023 14:49:13 +0900 [BOJ/백준][Rust] 1001 A-B https://dys4nt.tistory.com/34 <p data-ke-size="size16">unwrap()를 안해줬더니 컴파일 시 에러가 발생한다.</p> <p data-ke-size="size16">&nbsp;</p> <p data-ke-size="size16">&nbsp;</p> <div class="colorscripter-code" style="color: #010101; font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace !important; position: relative !important; overflow: auto;"> <table class="colorscripter-code-table" style="margin: 0; padding: 0; border: none; background-color: #fafafa; border-radius: 4px;" cellspacing="0" cellpadding="0" data-ke-align="alignLeft"> <tbody> <tr> <td style="padding: 6px; border-right: 2px solid #e5e5e5;"> <div style="margin: 0; padding: 0; word-break: normal; text-align: right; color: #666; font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace !important; line-height: 130%;"> <div style="line-height: 130%;">1</div> <div style="line-height: 130%;">2</div> <div style="line-height: 130%;">3</div> <div style="line-height: 130%;">4</div> <div style="line-height: 130%;">5</div> <div style="line-height: 130%;">6</div> <div style="line-height: 130%;">7</div> <div style="line-height: 130%;">8</div> <div style="line-height: 130%;">9</div> <div style="line-height: 130%;">10</div> </div> </td> <td style="padding: 6px 0; text-align: left;"> <div style="margin: 0; padding: 0; color: #010101; font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace !important; line-height: 130%;"> <div style="padding: 0 6px; white-space: pre; line-height: 130%;"><span style="color: #0086b3;">use</span>&nbsp;std::io;</div> <div style="padding: 0 6px; white-space: pre; line-height: 130%;">&nbsp;</div> <div style="padding: 0 6px; white-space: pre; line-height: 130%;"><span style="color: #a71d5d;">fn</span>&nbsp;main(){</div> <div style="padding: 0 6px; white-space: pre; line-height: 130%;">&nbsp;&nbsp;&nbsp;&nbsp;<span style="color: #066de2;">let</span>&nbsp;<span style="color: #0086b3;">mut</span>&nbsp;s&nbsp;<span style="color: #ff3399;"></span><span style="color: #a71d5d;">=</span>&nbsp;String::new();</div> <div style="padding: 0 6px; white-space: pre; line-height: 130%;">&nbsp;&nbsp;&nbsp;&nbsp;io::stdin().read_line(<span style="color: #ff3399;"></span><span style="color: #a71d5d;">&amp;</span><span style="color: #0086b3;">mut</span>&nbsp;s).unwrap();</div> <div style="padding: 0 6px; white-space: pre; line-height: 130%;">&nbsp;&nbsp;&nbsp;&nbsp;<span style="color: #066de2;">let</span>&nbsp;li:&nbsp;Vec<span style="color: #ff3399;"></span><span style="color: #a71d5d;">&lt;</span><span style="color: #ff3399;"></span><span style="color: #a71d5d;">&amp;</span>str<span style="color: #ff3399;"></span><span style="color: #a71d5d;">&gt;</span>&nbsp;<span style="color: #ff3399;"></span><span style="color: #a71d5d;">=</span>&nbsp;s.split_whitespace().collect();</div> <div style="padding: 0 6px; white-space: pre; line-height: 130%;">&nbsp;&nbsp;&nbsp;&nbsp;<span style="color: #066de2;">let</span>&nbsp;a&nbsp;<span style="color: #ff3399;"></span><span style="color: #a71d5d;">=</span>&nbsp;li[<span style="color: #0099cc;">0</span>].parse::<span style="color: #ff3399;"></span><span style="color: #a71d5d;">&lt;</span><span style="color: #066de2;">i32</span><span style="color: #a71d5d;">&gt;</span>().unwrap();</div> <div style="padding: 0 6px; white-space: pre; line-height: 130%;">&nbsp;&nbsp;&nbsp;&nbsp;<span style="color: #066de2;">let</span>&nbsp;b&nbsp;<span style="color: #ff3399;"></span><span style="color: #a71d5d;">=</span>&nbsp;li[<span style="color: #0099cc;">1</span>].parse::<span style="color: #ff3399;"></span><span style="color: #a71d5d;">&lt;</span><span style="color: #066de2;">i32</span><span style="color: #a71d5d;">&gt;</span>().unwrap();</div> <div style="padding: 0 6px; white-space: pre; line-height: 130%;">&nbsp;&nbsp;&nbsp;&nbsp;println<span style="color: #ff3399;"></span><span style="color: #a71d5d;">!</span>(<span style="color: #63a35c;">"{}"</span>,a<span style="color: #ff3399;"></span><span style="color: #a71d5d;">-</span>b);</div> <div style="padding: 0 6px; white-space: pre; line-height: 130%;">}</div> </div> <div style="text-align: right; margin-top: -13px; margin-right: 5px; font-size: 9px; font-style: italic;"><a style="color: #e5e5e5text-decoration:none;" href="http://colorscripter.com/info#e" target="_blank" rel="noopener">Colored by Color Scripter</a></div> </td> <td style="vertical-align: bottom; padding: 0 2px 4px 0;"><a style="text-decoration: none; color: white;" href="http://colorscripter.com/info#e" target="_blank" rel="noopener"><span style="font-size: 9px; word-break: normal; background-color: #e5e5e5; color: white; border-radius: 10px; padding: 1px;">cs</span></a></td> </tr> </tbody> </table> </div> <p data-ke-size="size16">&nbsp;</p> <p><figure class="imageblock alignCenter" data-ke-mobileStyle="widthOrigin" data-origin-width="1140" data-origin-height="71"><span data-url="https://blog.kakaocdn.net/dn/baPj9e/btskhClOg1e/3wkg8eCWnAK0qEdurTsTt1/img.png" data-phocus="https://blog.kakaocdn.net/dn/baPj9e/btskhClOg1e/3wkg8eCWnAK0qEdurTsTt1/img.png"><img src="https://blog.kakaocdn.net/dn/baPj9e/btskhClOg1e/3wkg8eCWnAK0qEdurTsTt1/img.png" srcset="https://img1.daumcdn.net/thumb/R1280x0/?scode=mtistory2&fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FbaPj9e%2FbtskhClOg1e%2F3wkg8eCWnAK0qEdurTsTt1%2Fimg.png" onerror="this.onerror=null; this.src='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png'; this.srcset='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png';" loading="lazy" width="1140" height="71" data-origin-width="1140" data-origin-height="71"/></span></figure> </p> Study/PS PS 백준 dys4nt https://dys4nt.tistory.com/34 https://dys4nt.tistory.com/34#entry34comment Sun, 18 Jun 2023 14:39:42 +0900 [BOJ/백준][Rust] 1000 A+B https://dys4nt.tistory.com/33 <p data-ke-size="size16">ID dys4nt로 새로운 백준 PS 계정을 만들었다.</p> <p data-ke-size="size16">Rust 언어를 공부할 겸 Rust로 solved.ac CLASS들을 깨보겠다.</p> <p data-ke-size="size16">&nbsp;</p> <div class="colorscripter-code" style="color: #010101; font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace !important; position: relative !important; overflow: auto;"> <table class="colorscripter-code-table" style="margin: 0; padding: 0; border: none; background-color: #fafafa; border-radius: 4px;" cellspacing="0" cellpadding="0" data-ke-align="alignLeft"> <tbody> <tr> <td style="padding: 6px; border-right: 2px solid #e5e5e5;"> <div style="margin: 0; padding: 0; word-break: normal; text-align: right; color: #666; font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace !important; line-height: 130%;"> <div style="line-height: 130%;">1</div> <div style="line-height: 130%;">2</div> <div style="line-height: 130%;">3</div> <div style="line-height: 130%;">4</div> <div style="line-height: 130%;">5</div> <div style="line-height: 130%;">6</div> <div style="line-height: 130%;">7</div> <div style="line-height: 130%;">8</div> <div style="line-height: 130%;">9</div> <div style="line-height: 130%;">10</div> <div style="line-height: 130%;">11</div> <div style="line-height: 130%;">12</div> <div style="line-height: 130%;">13</div> <div style="line-height: 130%;">14</div> </div> </td> <td style="padding: 6px 0; text-align: left;"> <div style="margin: 0; padding: 0; color: #010101; font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace !important; line-height: 130%;"> <div style="padding: 0 6px; white-space: pre; line-height: 130%;"><span style="color: #0086b3;">use</span>&nbsp;std::io;</div> <div style="padding: 0 6px; white-space: pre; line-height: 130%;">&nbsp;</div> <div style="padding: 0 6px; white-space: pre; line-height: 130%;"><span style="color: #a71d5d;">fn</span>&nbsp;main(){</div> <div style="padding: 0 6px; white-space: pre; line-height: 130%;">&nbsp;&nbsp;&nbsp;&nbsp;<span style="color: #066de2;">let</span>&nbsp;<span style="color: #0086b3;">mut</span>&nbsp;s&nbsp;<span style="color: #ff3399;"></span><span style="color: #a71d5d;">=</span>&nbsp;String::new();</div> <div style="padding: 0 6px; white-space: pre; line-height: 130%;">&nbsp;&nbsp;&nbsp;&nbsp;io::stdin().read_line(<span style="color: #ff3399;"></span><span style="color: #a71d5d;">&amp;</span><span style="color: #0086b3;">mut</span>&nbsp;s);</div> <div style="padding: 0 6px; white-space: pre; line-height: 130%;">&nbsp;&nbsp;&nbsp;&nbsp;<span style="color: #066de2;">let</span>&nbsp;li&nbsp;<span style="color: #ff3399;"></span><span style="color: #a71d5d;">=</span>&nbsp;s.split_whitespace();</div> <div style="padding: 0 6px; white-space: pre; line-height: 130%;">&nbsp;&nbsp;&nbsp;&nbsp;<span style="color: #066de2;">let</span>&nbsp;<span style="color: #0086b3;">mut</span>&nbsp;x:&nbsp;<span style="color: #066de2;">i32</span>&nbsp;<span style="color: #ff3399;"></span><span style="color: #a71d5d;">=</span>&nbsp;<span style="color: #0099cc;">0</span>;</div> <div style="padding: 0 6px; white-space: pre; line-height: 130%;">&nbsp;</div> <div style="padding: 0 6px; white-space: pre; line-height: 130%;">&nbsp;&nbsp;&nbsp;&nbsp;<span style="color: #a71d5d;">for</span>&nbsp;num&nbsp;in&nbsp;li{</div> <div style="padding: 0 6px; white-space: pre; line-height: 130%;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;x&nbsp;<span style="color: #ff3399;"></span><span style="color: #a71d5d;">+</span><span style="color: #ff3399;"></span><span style="color: #a71d5d;">=</span>&nbsp;num.parse::<span style="color: #ff3399;"></span><span style="color: #a71d5d;">&lt;</span><span style="color: #066de2;">i32</span><span style="color: #a71d5d;">&gt;</span>().unwrap();</div> <div style="padding: 0 6px; white-space: pre; line-height: 130%;">&nbsp;&nbsp;&nbsp;&nbsp;}</div> <div style="padding: 0 6px; white-space: pre; line-height: 130%;">&nbsp;</div> <div style="padding: 0 6px; white-space: pre; line-height: 130%;">&nbsp;&nbsp;&nbsp;&nbsp;println<span style="color: #ff3399;"></span><span style="color: #a71d5d;">!</span>(<span style="color: #63a35c;">"{}"</span>,x);</div> <div style="padding: 0 6px; white-space: pre; line-height: 130%;">}</div> </div> <div style="text-align: right; margin-top: -13px; margin-right: 5px; font-size: 9px; font-style: italic;"><a style="color: #e5e5e5text-decoration:none;" href="http://colorscripter.com/info#e" target="_blank" rel="noopener">Colored by Color Scripter</a></div> </td> <td style="vertical-align: bottom; padding: 0 2px 4px 0;"><a style="text-decoration: none; color: white;" href="http://colorscripter.com/info#e" target="_blank" rel="noopener"><span style="font-size: 9px; word-break: normal; background-color: #e5e5e5; color: white; border-radius: 10px; padding: 1px;">cs</span></a></td> </tr> </tbody> </table> </div> <p data-ke-size="size16">&nbsp;</p> <p data-ke-size="size16">use std::io를 이용해서 stdin, stdout를 사용한다.</p> <p data-ke-size="size16">&nbsp;</p> <p data-ke-size="size16">mutable(가변) 변수 s를 String::new()로 설정한다.</p> <p data-ke-size="size16">io::stdin().read_line(&amp;mut s)에서 s에 입력을 받는다.</p> <p data-ke-size="size16">li에 split한 s를 할당한다.</p> <p data-ke-size="size16">&nbsp;</p> <p data-ke-size="size16">x이라는 i32형 변수를 할당한다.</p> <p data-ke-size="size16">&nbsp;</p> <p data-ke-size="size16">li의 모든 값에 대해서 i32형태로 바꾸고 x에 더한다.</p> <p data-ke-size="size16">&nbsp;</p> <p data-ke-size="size16">x를 출력한다.</p> <p><figure class="imageblock alignCenter" data-ke-mobileStyle="widthOrigin" data-origin-width="1139" data-origin-height="71"><span data-url="https://blog.kakaocdn.net/dn/chen1l/btskfsqMmN3/dlu8JM1Kcie5Bk1RMn8aoK/img.png" data-phocus="https://blog.kakaocdn.net/dn/chen1l/btskfsqMmN3/dlu8JM1Kcie5Bk1RMn8aoK/img.png"><img src="https://blog.kakaocdn.net/dn/chen1l/btskfsqMmN3/dlu8JM1Kcie5Bk1RMn8aoK/img.png" srcset="https://img1.daumcdn.net/thumb/R1280x0/?scode=mtistory2&fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2Fchen1l%2FbtskfsqMmN3%2Fdlu8JM1Kcie5Bk1RMn8aoK%2Fimg.png" onerror="this.onerror=null; this.src='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png'; this.srcset='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png';" loading="lazy" width="1139" height="71" data-origin-width="1139" data-origin-height="71"/></span></figure> </p> Study/PS PS 백준 dys4nt https://dys4nt.tistory.com/33 https://dys4nt.tistory.com/33#entry33comment Sun, 18 Jun 2023 14:27:42 +0900 [cce2023jr QUALS CTF] pphhpp https://dys4nt.tistory.com/32 <p data-ke-size="size16">문제 소스를 보면&nbsp;</p> <p data-ke-size="size16">[config.php]</p> <pre id="code_1686831451920" class="php" data-ke-language="php" data-ke-type="codeblock"><code>&lt;?php $flag = file_get_contents("/flag"); function is_safe_url($url) { // Allow only http(s) if(!preg_match('/^https?:\/\/.*$/', $url)){ return false; } $host = parse_url($url, PHP_URL_HOST); if(!host) { return false; } $ip = gethostbyname($host); $ip = ip2long($ip); if($ip === false){ return false; } $is_inner_ipaddress = ip2long('127.0.0.0') &gt;&gt; 24 == $ip &gt;&gt; 24 or ip2long('10.0.0.0') &gt;&gt; 24 == $ip &gt;&gt; 24 or ip2long('172.16.0.0') &gt;&gt; 20 == $ip &gt;&gt; 20 or ip2long('192.168.0.0') &gt;&gt; 16 == $ip &gt;&gt; 16 ; if($is_inner_ipaddress){ return false; } return true; } extract($_GET); ?&gt;</code></pre> <p data-ke-size="size16">index.php에서 config.php를 로드한 후 ?url=http(s):// 형태로 GET 요청을 보내면 is_safe_url을 통해서 내부 IP가 아님을 검증한 후 프록시 역할을 하는 서버임을 알 수 있는데, 0.0.0.0은 필터링이 되어있지 않다.</p> <p data-ke-size="size16">&nbsp;</p> <p data-ke-size="size16">?url=http://0.0.0.0/flag.php를 입력하면 문제가 풀리게 된다.</p> Study/Hacking cce2023 web dys4nt https://dys4nt.tistory.com/32 https://dys4nt.tistory.com/32#entry32comment Thu, 15 Jun 2023 21:20:17 +0900 [cce2023jr QUALS CTF] KMAIL https://dys4nt.tistory.com/31 <p data-ke-size="size16">SSTI로 간단하게 풀리는 문제.</p> <p data-ke-size="size16">&nbsp;main.go 파일의 215줄부터 보면,</p> <pre id="code_1686831119637" class="go" data-ke-language="go" data-ke-type="codeblock"><code>tmpl := fmt.Sprintf(` &lt;p&gt;--------------------------------------&lt;/p&gt; &lt;table border="0" cellspacing="0" cellpadding="0"&gt; &lt;tr&gt; &lt;td&gt; &lt;img src="data:image/png;base64,{{.File}}" style="heigth:90px;width:70px" alt="Profile Image"&gt; &lt;/td&gt; &lt;td valign="top" style="vertical-align: middle;"&gt; &lt;strong&gt;{{.Name}}&lt;/strong&gt;&lt;br&gt; &lt;a href="mailto:{{.Email}}"&gt;{{.Email}}&lt;/a&gt;&lt;br&gt; &lt;span&gt;tel : %s&lt;/span&gt; &lt;/td&gt; &lt;/tr&gt; &lt;/table&gt;`, r.URL.Query().Get("tel")) t, err := template.New("page").Parse(tmpl) if err != nil { fmt.Println(err) } t.Execute(w, &amp;s)</code></pre> <p data-ke-size="size16">%s 형태로 문자열이 들어가는 곳에서 SSTI 취약점이 발생하는 것을 확인할 수 있다.</p> <p data-ke-size="size16">?tel={{.Email}}을 입력했을 때 이메일이 tel 위치에 출력된다.</p> <p data-ke-size="size16">&nbsp;</p> <p data-ke-size="size16">t.Execute(w,&amp;s)를 통해 전달되는 s구조체에는 LoadFile이라는 함수도 포함되어 있으므로 이를 템플릿 구문에서 {{.LoadFile "../../flag"}} 형태로 실행할 수 있고 실행시 플래그가 나온다.</p> <p data-ke-size="size16">&nbsp;</p> <p><figure class="imageblock alignCenter" data-ke-mobileStyle="widthOrigin" data-origin-width="941" data-origin-height="161"><span data-url="https://blog.kakaocdn.net/dn/YnBLt/btsj5ZavGbr/k6WNvyM3r6KkzOON4mUKK0/img.png" data-phocus="https://blog.kakaocdn.net/dn/YnBLt/btsj5ZavGbr/k6WNvyM3r6KkzOON4mUKK0/img.png" data-alt="base64인코딩된 플래그 출력"><img src="https://blog.kakaocdn.net/dn/YnBLt/btsj5ZavGbr/k6WNvyM3r6KkzOON4mUKK0/img.png" srcset="https://img1.daumcdn.net/thumb/R1280x0/?scode=mtistory2&fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FYnBLt%2Fbtsj5ZavGbr%2Fk6WNvyM3r6KkzOON4mUKK0%2Fimg.png" onerror="this.onerror=null; this.src='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png'; this.srcset='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png';" loading="lazy" width="941" height="161" data-origin-width="941" data-origin-height="161"/></span><figcaption>base64인코딩된 플래그 출력</figcaption> </figure> <figure class="imageblock alignCenter" data-ke-mobileStyle="widthOrigin" data-origin-width="941" data-origin-height="686"><span data-url="https://blog.kakaocdn.net/dn/rj0RI/btsj8hBak3Z/lD6VxvXEf1Kvxspdk18xpK/img.png" data-phocus="https://blog.kakaocdn.net/dn/rj0RI/btsj8hBak3Z/lD6VxvXEf1Kvxspdk18xpK/img.png"><img src="https://blog.kakaocdn.net/dn/rj0RI/btsj8hBak3Z/lD6VxvXEf1Kvxspdk18xpK/img.png" srcset="https://img1.daumcdn.net/thumb/R1280x0/?scode=mtistory2&fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2Frj0RI%2Fbtsj8hBak3Z%2FlD6VxvXEf1Kvxspdk18xpK%2Fimg.png" onerror="this.onerror=null; this.src='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png'; this.srcset='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png';" loading="lazy" width="941" height="686" data-origin-width="941" data-origin-height="686"/></span></figure> </p> <p data-ke-size="size16">&nbsp;</p> Study/Hacking cce2023 web dys4nt https://dys4nt.tistory.com/31 https://dys4nt.tistory.com/31#entry31comment Thu, 15 Jun 2023 21:15:48 +0900