2021 Balsn CTF - Cheater

Sun, Nov 28, 2021 2-minute read

題目:Cheater

Cheater

407 points / 6 solves

Cheater

Challenge Info

1
2
3
4
5
6
7
8

As a CTF player, how do I sovle challenges and get the flags ?
NO, I don't ! I infiltrate spies into the CTF origanizers' family.
Their girlfriend, boyfriend, wife, husband, adopted son and even their pet cat !
Spies will try to borrow their computer for playing a tiny tiny pixel-art video game...
That's a trap! The game is actually a interface to contact headquarter for futher commands!
But a double secret agent stole my flag!
Haha, that's a bait, help me to found out which flag was leak so I can target the perpetrator.
The story, names, and incidents portrayed in this description are fictitious.

Attachment: cheater.zip

Author: nini Verifier: how2hack(3hr)

Solution

解壓縮後,比較重要的有 flag-online.exe, SUS.pcapng

flag-online.exe 是 nim 開發的遊戲,總共有 3 個畫面:

  • 0:一開始的 BALSN press space to START
  • 1:(很難的)彈幕遊戲
  • 2:輸入文字介面

畫面 0

畫面 1

畫面 2

遊戲畫面由 currentState__Wc09cKuZYDia4B4v9cw7TNVAflag-online.exe+0x141334)決定,直接改數值就可以切換

畫面的相關邏輯在 gameUpdate__MMnayPNQfg8okpCrPMJHoA,可以看到每個畫面都有對應一個 update function

其中畫面 2 的是 update__1eM9auCeT70xrbC2fzp7DfQ_2,它是根據 btn__YHtl8a4TnIMBu5x8edbrZQ 決定程式行為:

  • 0:Arrow Left
  • 1:Arrow Right
  • 2:Arrow Up
  • 3:Arrow Down
  • 4:Space
  • 5:對 http://flag-online.balsn.tw:7414/antibalsn/gameOver/<payload> 發送請求
  • 9:對 http://flag-online.balsn.tw:7414/antibalsn/gameState 發送請求,然後把回傳資料顯示在畫面上

另外,在 init__1eM9auCeT70xrbC2fzp7DfQ 時會對 http://flag-online.balsn.tw:7414/antibalsn/antibalsn/regist 發請求

對 server 交互的資料都經過編碼跟加密:

  • 編碼是 base64
  • 加解密不太清楚,它們分別是:
    • encrypt__l7V4zu461RHdTkKYdKDbtw
    • decrypt__yTNT7OFdw4VeC8mj9be88kA_part_0

可以從 SUS.pcapng 拿到每次 client server 交互的 payload

btn(9) 會把 payload 拿去解密並顯示,所以簡單模擬一個 server 照順序把 payload 送給 client

client(flag-online.exe):

  • 先切換到畫面 2
  • btn(9)flag-online.exe+0x73845)附近的流程改一下,讓它一直對 http://flag-online.balsn.tw:7414/antibalsn/gameState 要 payload

server:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

import pprint
from flask import Flask

app = Flask(__name__)

@app.route('/antibalsn/regist/')
def regist():
    return '05INporeqfZjZ7lgrUtfi/dnmpswNW127z+KKN8h8RE=\nOZIKeiOhKij5kxxSvZNQ+29XPzP5Q61kNGFyb+bMn8A=\nAGHrWuOtb5rQ+OC7CbmDPQ=='


cnt = -1
@app.route('/antibalsn/gameState')
def gameState():
    global cnt
    payload = ['ej11h3gdBqW5R+tNHW5xsOz1iLlYAJpCGdo3YOClzaYOpCvBhF6wFNC/YlCzDbtdiYq8+sfGBbhkEXL8FmJV5uBBXJ0OR4OstnCg6gjkQYI=',
               'bRvh/P2mhVRKOjx+3yPxqcFYKk6W3x7kO28IY5ckcf4C3YMbBuN941wrmtNfLOz9xXO65th7ZAeVad+Z8HPRxTJeuRIKTaqv6cAN28UFbOJJA2uefQLFzp+Fl3B8T4Kk',
               'FgbDTDkDqxnRbtahXsXdekET4/zpL/JNIK22VSnUJcmi10yDH4vrqjKFRn5Ub7ns6lusReLGDBJ24ypdlTI1r3yIUxCQGGXM4SlXUsHtl24hF44n49C/igkpLYoB0A1/pkCE/pkoBo6uKAJDwT3kQDzZDJRWgTBuw6wj8TpQ2VNdYucjdugbbQjmyxQrb0kk2O4ZBxYst1AOJh7kfTOutsPGSAtQ9Gn16PKMEeTw6XEhttR1l/X5j0jEpnKI2gAY5cxsOsB7dPsuampYXtZ7HQ==',
               'zdeuKXamubFEU24lGKBlaBR/RX2Xr71Ww7j2PxWzKbGXxP8RXOct7OyeqLo32C0tIxYWM53JpmatzOnY8fNJ+xc4P+RAd7vx34oWFrDQ69zWjSDFwaczbav/bndVj4jKEkHXnxaffFsi4VHyIcM/2OZZVLDNcsMPzkeJQNoy5DHaIVy3NfER1MdQA20O9Y4ff2nWBcdxWJd9SGt0T3F/ZS6NOSAXagSUe6XF8Lz7e7LlYlBt2UkKw+FZSVlxr3XUZj7VDYYM61iOSNqXpozD1FbkC9iQihkDZ8as91SBQRk=',
               'Lf9qPeoKXgzno0hTiuAr+57MFeOSp69vgcqawBGckN9rHdMnJyaoVTPgaV6lqwvuz4zQPGLNbnBs1Vvt741zBwWuWHqMVJEwZsQOt3TZHM4aCDuhqNLAh1YzA9JCFPZc7U3rQZmRBqkS7/3m1qLHhlrWYs+DUv0qp7WRAxvQERajujTSYA4mh4iFqrZH6UrXnHx1QKNWd749iDfU7J8AAcSzPnjl9cod9W1iq1x5lKiNAvbmJ5lhlmvN6tCI0pI3wEF7r94gCZF4YwT70FOzjsyU3f6ipFUifPUXgVJhIkN5G/xqk96nhO2Kz+6/1KkGJamXlwykSdhUzMWmGuESJ4GTliI9NJ4fAGMJx5cl0FY=',
               'z7EP7CgNyYCtNb4fia2LO2dTA+Xtcwm4AL5tXmJmO9k=',
               'n8sWY0lKjZGmL6uzGoQKReCk2fNsaoQEPuCJJpT1twA='
               ]
    cnt += 1
    return payload[cnt]

if __name__ == '__main__':
    app.run(port=7414, host='0.0.0.0', debug=True)

所有解密完的內容會顯示在畫面上,裡面包含 flag

Flag

BALSN{niconjconi_this_is_an_onL1N3_G4ME!!=_=}