require'httpcap'HTTPcap.http_flows('./http.pcap') do |flow|
p flow.request.body
# => "{\"userId\":12345}"
p flow.request.headers['Authorization']
# => "Bearer hogehoge123455567890"
p flow.response.http_status
# => 200
p flow.response.body
# => "{\"userId\":12345,\"name\":\"naari3\",\"author\":true}"
p flow.request.headers['Content-Length']
# => "46"end
$ sudo systemctl stop docker
$ sudo ip link set dev docker0 down
$ sudo ip link del dev docker0
$ ip r
default via 10.0.2.2 dev enp0s3 proto static metric 100
10.0.2.0/24 dev enp0s3 proto kernel scope link src 10.0.2.15 metric 100
172.18.0.0/16 dev br-da27a92cc9df proto kernel scope link src 172.18.0.1
192.168.100.0/24 dev enp0s8 proto kernel scope link src 192.168.100.20 metric 100
// docker0 がないことを確認する
$ cat /usr/lib/systemd/system/docker.service
~~省略~~
[Service]
~~省略~~
+EnvironmentFile=/etc/sysconfig/docker
-ExecStart=/usr/bin/dockerd -H unix://
+ExecStart=/usr/bin/dockerd -H unix:// $OPTIONS
~~省略~~
$ cat /etc/sysconfig/docker
+OPTIONS="--bip=10.17.0.1/16"
$ sudo systemctl daemon-reload
$ sudo systemctl start docker
$ ip r
default via 10.0.2.2 dev enp0s3 proto static metric 100
10.0.2.0/24 dev enp0s3 proto kernel scope link src 10.0.2.15 metric 100
172.18.0.0/16 dev br-da27a92cc9df proto kernel scope link src 172.18.0.1
10.17.0.0/16 dev docker0 proto kernel scope link src 10.17.0.1
192.168.100.0/24 dev enp0s8 proto kernel scope link src 192.168.100.20 metric 100
// docker0のdestがbipで指定したやつになっている💯
Errno::ENOENT:
# No such file or directory @ apply2files - /Users/naari3/src/github.com/naari3/some_project/tmp/cache/FB1/000/.permissions_check.70365749710360.44558.326263
# ./app/models/user.rb:25:in `info
実行
実行する
$ rails parallel:spec
4 processes for 224 specs, ~ 56 specs per process
Randomized with seed 58546
....
Randomized with seed 39588
..
Randomized with seed 40142
......................
Randomized with seed 39700
........
(省略)
Coverage report generated for (1/4), (2/4), (3/4), (4/4), RSpec to /Users/naari3/src/github.com/naari3/some_project/coverage. 4352 / 5499 LOC (79.14%) covered.
1707 examples, 0 failures, 1 pending
Took 171 seconds (2:41)
N = 97139961312384239075080721131188244842051515305572003521287545456189235939577
E = 65537
C = 77361455127455996572404451221401510145575776233122006907198858022042920987316
P = 299681192390656691733849646142066664329
Q = 324144336644773773047359441106332937713
あとはCを復号します
import rsa
import binascii
N = 97139961312384239075080721131188244842051515305572003521287545456189235939577
E = 65537
C = 77361455127455996572404451221401510145575776233122006907198858022042920987316
P = 299681192390656691733849646142066664329
Q = 324144336644773773047359441106332937713
D = rsa.key.calculate_keys_custom_exponent(P, Q, E)[1]
plain = pow(C, D, N)
print(binascii.unhexlify(hex(plain)[2:]).decode('utf-8'))
ctf4b{5imple_rs4_1s_3asy_f0r_u}
Pwn
1問しか解いてません
1問解けたので満足しています
pwnはそれぞれサーバーのバイナリが用意されていました
[Warmup] condition
接続すると
Please tell me your name...
となり、 文字列を入力すると
Please tell me your name...testtest
Permission denied
Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-dtZQXTtwWaTWzlzbWQI5YFQO/v4LWqNq9cqtOQ8D9nI='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
zipは鍵がかかっており、パスワードを尋ねられたので you_are_pro と入力したら解凍できました PRO
ctf4b{email_with_encrypted_file}
てけいさんえくすとりーむず
$ nc tekeisan-ekusutoriim.chall.beginners.seccon.jp 8690
Welcome to TEKEISAN for Beginners -extreme edition-
---------------------------------------------------------------
Please calculate. You need to answered 100 times.
e.g.
(Stage.1)
4 + 5 = 9
...
(Stage.99)
4 * 4 = 869
[!!] Wrong, see you.
---------------------------------------------------------------
(Stage.1)
869 + 924 = 1793
(Stage.2)
665 * 677 = a
[!!] Wrong, see you.
こういうやつでした、愚直に解くものを書きます
from socket import *
s = socket(AF_INET, SOCK_STREAM)
s.connect(('tekeisan-ekusutoriim.chall.beginners.seccon.jp', 8690))
whileTrue:
text = s.recv(4096)
print text
prob = text.split('\n')[-1]
ans = eval("".join(prob.split(' ')[:3]))
print ans
s.send("{}\n".format(ans))
$ foremost -t pdf -i disk.img
foremost: /usr/local/etc/foremost.conf: No such file or directory
Processing: disk.img
|*|
$ tree ./output
./output
├── audit.txt
└── pdf
└── 00018946.pdf