-
Notifications
You must be signed in to change notification settings - Fork 12
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
dd33ca4
commit 130b564
Showing
26 changed files
with
438 additions
and
0 deletions.
There are no files selected for viewing
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
--- | ||
tags: | ||
- BSidesSF | ||
- BSidesSF-2024 | ||
- Forensics | ||
- Word | ||
--- | ||
|
||
تو این چلنج به ما یه فایل docx دادن که یه سری عکس رو نشون میده | ||
|
||
در قدم اول مواجهه با فایل ورد، باید بازش کنیم و اگه فلگی توش نبود، در وهله دوم با zip viewer بازش کنیم | ||
|
||
تو محتویات متنی این فایل هم فلگی نبود و پس با zip viewer بازش میکنیم =))) | ||
|
||
![doctor-1](doctor-1.png) | ||
|
||
یکم که تو فولدر ها بگردیم و یه سری چیزا مثل وجود داشتن یا نداشتن macro مطمئن بشیم، چشممون میخوره به عکس هایی که تو فایل ورود گنجونده شدن | ||
|
||
اما wait, what? | ||
|
||
![doctor-2](doctor-2.png) | ||
|
||
چرا ۵ تا عکسه؟ | ||
مگه تو فایل ورد ۴ تا نبود؟ | ||
|
||
یه عکس اضافیه | ||
|
||
که اونم image-0.png هست فلگ توشه | ||
|
||
![doctor-3](doctor-3.png) | ||
|
||
|
||
--- | ||
??? success "FLAG :triangular_flag_on_post:" | ||
<div dir="ltr">`CTF{st0ck_cut3_p1c5}`</div> | ||
|
||
|
||
!!! نویسنده | ||
[SafaSafari](https://twitter.com/SafaSafari3) | ||
|
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
--- | ||
tags: | ||
- BSidesSF | ||
- BSidesSF-2024 | ||
- Forensics | ||
- Word | ||
--- | ||
|
||
اینجا هم یه فایل docx به ما دادن و بعد از باز کردنش متوجه میشیم باید با zip viewer هم یه فرصت بهش بدیم | ||
|
||
عه این فایل getflag.class چیه اینجا؟ | ||
|
||
![javai-1](javai-1.png) | ||
|
||
فایل رو اکسترکت میکنیم و میریم سراغ JadX و فایل رو باز میکنیم و فلگ رو دو دستی تقدیممون میکنه | ||
|
||
![javai-2](javai-2.png) | ||
|
||
--- | ||
??? success "FLAG :triangular_flag_on_post:" | ||
<div dir="ltr">`CTF{javai_java_with_100x_ai}`</div> | ||
|
||
|
||
!!! نویسنده | ||
[SafaSafari](https://twitter.com/SafaSafari3) |
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
--- | ||
tags: | ||
- BSidesSF | ||
- BSidesSF-2024 | ||
- Forensics | ||
- PNG | ||
--- | ||
|
||
|
||
اینجا یه عکس داریم که یه تیکش با ادیتور موبایل روش خط کشیده شده | ||
|
||
![redacted-1](redacted-1.png) | ||
|
||
یه بار یه ترفند تو توییتر دیدم که میشد زیر این خطا رو خوند =))) | ||
|
||
پس دست به کار شدم و تو gimp فایل رو باز کردم و | ||
|
||
با یکم بازی بازی کردن با آپشنای gimp تونستم فلگ رو بکشم بیرون | ||
|
||
![redacted-2](redacted-2.png) | ||
|
||
--- | ||
??? success "FLAG :triangular_flag_on_post:" | ||
<div dir="ltr">`CTF{censor_this}`</div> | ||
|
||
|
||
!!! نویسنده | ||
[SafaSafari](https://twitter.com/SafaSafari3) | ||
|
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,63 @@ | ||
--- | ||
tags: | ||
- BSidesSF | ||
- BSidesSF-2024 | ||
- Forensics | ||
- SGI | ||
- Steganography | ||
--- | ||
|
||
این چلنج ۴ تا فلگ مختلف داشت که موفق شدم ۳ تاشون رو به دست بیارم | ||
|
||
پسوند فایل چیه؟ sgi دیگه چه کوفتیه؟ | ||
|
||
مهم نیس | ||
|
||
چون اگه دبل کلیک کنیم روش، با gimp باز میشه :joy: | ||
|
||
به شخصه خیلی باهاش بازی بازی کردم و تا بالاخره فهمیدم اگه layer alpha رو مخفی کنم، یه فلگ میزنه بیرون | ||
|
||
![sgai-1](sgai-1.png) | ||
|
||
برا فلگ بعدی باید حرفه ای تر عمل کنیم :sunglasses: | ||
|
||
پس میریم سراغ hex editor | ||
|
||
![sgai-2](sgai-2.png) | ||
|
||
زارت فلگ بعدی هم دراومد =))) | ||
|
||
برا فلگ سوم بعد از ساعتها آزمون و خطا تصمیم گرفتم یه فایل sgi دیگه وردارم و با این مقایسه کنم | ||
|
||
پس با این دستور، یه rebase از همین فایل sgi ساختم و هردو رو تو hex editor باز کردم | ||
|
||
```bash | ||
convert sgai.sgi a.sgi | ||
``` | ||
|
||
![sgai-3](sgai-3.png) | ||
|
||
|
||
تفاوت واضحه | ||
|
||
یه مشت FF اینور هستن که اونور 00 ان | ||
|
||
با بررسی struct فایل [از اینجا](https://en.wikipedia.org/wiki/Silicon_Graphics_Image) | ||
فهمیدم که این تیکه پدینگه | ||
|
||
پس کل پدینگ که میشه از 0x6c تا 0x1ff کپی کردم xor زدم با FF تا همشون 00 بشن | ||
|
||
![sgai-4](sgai-4.png) | ||
|
||
اینم از فلگ سوم | ||
|
||
--- | ||
??? success "FLAG :triangular_flag_on_post:" | ||
<div dir="ltr">`CTF{i_name_thee_flag}`</div> | ||
<div dir="ltr">`CTF{invisibility_cloak}`</div> | ||
<div dir="ltr">`CTF{padpadpad_really_do_we_need_512}`</div> | ||
|
||
|
||
!!! نویسنده | ||
[SafaSafari](https://twitter.com/SafaSafari3) | ||
|
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
--- | ||
tags: | ||
- BSidesSF | ||
- BSidesSF-2024 | ||
- Forensics | ||
--- | ||
|
||
این چلنج ساده ترین چلنج بود =)) | ||
|
||
یه binwalk ساده میتونست فلگ رو در بیاره | ||
|
||
```bash | ||
binwalk --dd=".*" floppy.img | ||
``` | ||
|
||
![undelete-1](undelete-1.png) | ||
|
||
--- | ||
??? success "FLAG :triangular_flag_on_post:" | ||
<div dir="ltr">`CTF{144_mb_enough_for_anybody}`</div> | ||
|
||
|
||
!!! نویسنده | ||
[SafaSafari](https://twitter.com/SafaSafari3) | ||
|
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
--- | ||
tags: | ||
- BSidesSF | ||
- BSidesSF-2024 | ||
- Forensics | ||
--- | ||
|
||
این چلنج از اون یکی هم راحت تره :joy: | ||
|
||
با exiftool فلگ در میاد | ||
|
||
![ztxt-1](ztxt-1.png) | ||
|
||
--- | ||
??? success "FLAG :triangular_flag_on_post:" | ||
<div dir="ltr">`CTF{zhis_zis_zhe_zlag}`</div> | ||
|
||
|
||
!!! نویسنده | ||
[SafaSafari](https://twitter.com/SafaSafari3) | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,113 @@ | ||
--- | ||
tags: | ||
- BSidesSF | ||
- BSidesSF-2024 | ||
- Reverse | ||
- Android | ||
--- | ||
|
||
اولین کاری که در مواجهه با چلنج اندرویدی باید انجام بدیم چیه؟ همتون میگید اجرا اما نه!! باز کردنش تو JadX اولین کاریه که حرفه ای ها میکنن =))) | ||
|
||
با یکم گشتن تو کلاس ها و توابع برنامه میرسیم به این تیکه کد | ||
![Shinji](shinji-1.png) | ||
|
||
```java | ||
public final String flagDisplay() { | ||
String string; | ||
String string2; | ||
String string3 = getString(R.string.app_string); | ||
Intrinsics.checkNotNullExpressionValue(string3, "getString(...)"); | ||
String prefixString = "shinji-"; | ||
StringBuilder sb = new StringBuilder(); | ||
long seconds = System.currentTimeMillis() / 1000; | ||
if (seconds >= 1577865600 && seconds <= 1735718400) { | ||
String secondsString = String.valueOf(seconds); | ||
String tempString = "shinji-" + secondsString; | ||
MessageDigest md5Digest = MessageDigest.getInstance("MD5"); | ||
byte[] bytes = tempString.getBytes(Charsets.UTF_8); | ||
Intrinsics.checkNotNullExpressionValue(bytes, "this as java.lang.String).getBytes(charset)"); | ||
byte[] md5Result = md5Digest.digest(bytes); | ||
Intrinsics.checkNotNull(md5Result); | ||
int length = md5Result.length; | ||
int i = 0; | ||
while (true) { | ||
string = string3; | ||
String prefixString2 = prefixString; | ||
if (i >= length) { | ||
break; | ||
} | ||
byte b = md5Result[i]; | ||
StringCompanionObject stringCompanionObject = StringCompanionObject.INSTANCE; | ||
String format = String.format("%02X", Arrays.copyOf(new Object[]{Byte.valueOf(b)}, 1)); | ||
Intrinsics.checkNotNullExpressionValue(format, "format(format, *args)"); | ||
sb.append(format); | ||
i++; | ||
string3 = string; | ||
prefixString = prefixString2; | ||
seconds = seconds; | ||
} | ||
String sb2 = sb.toString(); | ||
Intrinsics.checkNotNullExpressionValue(sb2, "toString(...)"); | ||
String md5String = sb2.toLowerCase(Locale.ROOT); | ||
Intrinsics.checkNotNullExpressionValue(md5String, "this as java.lang.String).toLowerCase(Locale.ROOT)"); | ||
MessageDigest sha1Digest = MessageDigest.getInstance("SHA-1"); | ||
byte[] bytes2 = md5String.getBytes(Charsets.UTF_8); | ||
Intrinsics.checkNotNullExpressionValue(bytes2, "this as java.lang.String).getBytes(charset)"); | ||
byte[] sha1Result = sha1Digest.digest(bytes2); | ||
StringBuilder sb22 = new StringBuilder(); | ||
Intrinsics.checkNotNull(sha1Result); | ||
int length2 = sha1Result.length; | ||
int i2 = 0; | ||
while (i2 < length2) { | ||
byte b2 = sha1Result[i2]; | ||
StringCompanionObject stringCompanionObject2 = StringCompanionObject.INSTANCE; | ||
byte[] sha1Result2 = sha1Result; | ||
String format2 = String.format("%02X", Arrays.copyOf(new Object[]{Byte.valueOf(b2)}, 1)); | ||
Intrinsics.checkNotNullExpressionValue(format2, "format(format, *args)"); | ||
sb22.append(format2); | ||
i2++; | ||
length2 = length2; | ||
sha1Result = sha1Result2; | ||
} | ||
String sb3 = sb22.toString(); | ||
Intrinsics.checkNotNullExpressionValue(sb3, "toString(...)"); | ||
String sha1String = sb3.toLowerCase(Locale.ROOT); | ||
Intrinsics.checkNotNullExpressionValue(sha1String, "this as java.lang.String).toLowerCase(Locale.ROOT)"); | ||
if (Intrinsics.areEqual(sha1String, "75b1d234851cdc94899eae8c97adce769e8ddb26")) { | ||
Intrinsics.checkNotNullExpressionValue(getString(R.string.part_one), "getString(...)"); | ||
return (string2 + secondsString) + getString(R.string.part_three); | ||
} | ||
return string; | ||
} | ||
return string3; | ||
} | ||
``` | ||
|
||
تیکه اول کد که واضحا در حال ساخت یک فرمت `shinji-1577865600` هست. | ||
اما عددی که جلوش قرار میگیره تایم استمپ اون لحظه اس (اگه نمیدونین تایم استمپ چیه، [اینجا رو بخونید](https://fa.wikipedia.org/wiki/%D8%A8%D8%B1%DA%86%D8%B3%D8%A8_%D8%B2%D9%85%D8%A7%D9%86)) | ||
|
||
در ادامه میاد ازش md5 میگیره و بعدش هگز اون رو درمیاره و از هگز اون sha1 میگیره و با `75b1d234851cdc94899eae8c97adce769e8ddb26` مقایسش میکنه | ||
اگه برابر باشه، تایم اون لحظه رو به صورت فلگ بهمون نشون میده | ||
|
||
کار ساده و روشنه | ||
یه اسکریپت میخوایم که اون تایم رو بروت فورس کنه و اگه هش صدق میکرد، عدد رو به ما برگردونه | ||
```py | ||
from hashlib import sha1, md5 | ||
|
||
for i in range(1577865600, 1735718400): | ||
if sha1(md5("shinji-{}".format(i).encode()).hexdigest().encode()).hexdigest().lower() == "75b1d234851cdc94899eae8c97adce769e8ddb26": | ||
break | ||
|
||
print("CTF{{{}}}".format(i)) | ||
``` | ||
|
||
بعد از چند دقیقه اجرا، فلگ به نمایش در میاد | ||
|
||
--- | ||
??? success "FLAG :triangular_flag_on_post:" | ||
<div dir="ltr">`CTF{1615212000}`</div> | ||
|
||
|
||
!!! نویسنده | ||
[SafaSafari](https://twitter.com/SafaSafari3) | ||
|
Oops, something went wrong.