Post

[corCTF 2022] whack-a-frog

Posted
By SeongHun Pak
3 min read

whack-a-frog

Untitled

๋‚˜๋ฆ„ ์žฌ๋ฏธ์žˆ์—ˆ๋˜ forensic ๋ฌธ์ œ์˜€๋‹ค.

Untitled ๋ฌธ์ œ ํŽ˜์ด์ง€๋ฅผ ๋ณด๋ฉด ๋ฌด์ˆ˜ํ•œ ์šฐ๋ฌผ์•ˆ ๊ฐœ๊ตฌ๋ฆฌ๋“ค์ด ๋‹ค๋ฅผ ๋ฐ˜๊ฒจ์ค€๋‹ค. ํด๋ฆญํ•œ ์ƒํƒœ๊ณ  ๋“œ๋ž˜๊ทธํ•˜๋ฉด ๊ทธ ๊ฒฝ๋กœ์— ์žˆ๋Š” ๊ฐœ๊ตฌ๋ฆฌ๋“ค์ด ์šฐ๋ฌผ ์†์œผ๋กœ ์ˆจ๋Š”๋‹ค. ์ด๊ฒƒ๋งŒ ๋ด์„œ๋Š” ๋ฌด์Šจ ๋ฌธ์ œ์ธ์ง€ ๋ชจ๋ฅด๊ฒ ๋‹ค.

Untitled .pcap ํ™•์žฅ์ž๋ผ wireshark๋กœ ํŒŒ์ผ์„ ์—ด์–ด HTTPํ•„ํ„ฐ๋ฅผ ๊ฑธ์—ˆ๋”๋‹ˆ x, y, event ์ธ์ž๊ฐ€ ๋„˜์–ด๊ฐ„๋‹ค.
x, y ๋Š” ๋งˆ์šฐ์Šค์˜ ์ขŒํ‘œ, event๋Š” ๋งˆ์šฐ์Šค ํด๋ฆญ ์—ฌ๋ถ€๋ฅผ ์•Œ๋ ค์ฃผ๋Š” ๊ฒƒ ๊ฐ™๋‹ค. ํด๋ฆญํ•œ ์ƒํƒœ๋กœ ์ด๋™ํ•œ ๊ธธ์ด FLAG๋ฅผ ์–ป์„ ์ˆ˜ ์žˆ์„ ๊ฒƒ ๊ฐ™๋‹ค.

Untitled ์ด๋ฅผ ์•Œ์•„๋‚ด๊ธฐ ์œ„ํ•ด ํŒจํ‚ท์„ plain text๋ฅผ ์ถ”์ถœํ•ด์„œ x, y, event๋ฅผ ํŒŒ์‹ฑํ•ด์„œ ์‚ฌ์šฉํ•˜๋ฉฐ ๋  ๊ฒƒ ๊ฐ™๋‹ค.
ํŒŒ์ด์ฌ ์ฒ˜์Œ ๋ฐฐ์šธ ๋•Œ ์ •๋ง ์™œ ๋ฐฐ์šฐ๋Š”์ง€ ๋ชฐ๋ž์—ˆ๋˜ Python์˜ turtle ๋ชจ๋“ˆ๋กœ ๊ทธ๋ฆผ์„ ๊ทธ๋ ค๋ดค๋‹ค.

Exploit

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

import turtle as t

with open("./frog.txt", "r", encoding='UTF8') as f:
    data = f.readlines()
    f.close()

def parse_text(data):  #parse data
    x = []
    y = []
    event = []
    for string in data:
        if "event" in string:
            question_split = string.split("?")[1]
            ampersand_split = question_split.split("&")
            x.append(ampersand_split[0].split("=")[1])
            y.append(ampersand_split[1].split("=")[1])
            event.append(ampersand_split[2].split(" ")[0].split("=")[1])    

    print_flag(x, y, event)
    return 0

def print_flag(X, Y, EVENT):  #draw FLAG with turtle
    t.penup()
    for i, j, eve in zip(X, Y, EVENT):
        if eve == "mousedown":
            t.pendown()
        if eve == "mousemove":
            t.goto(int(i), -int(j))
        if eve == "mouseup":
            t.penup()

parse_text(data)

์œ„ ์Šคํฌ๋ฆฝํŠธ๋ฅผ ์‚ฌ์šฉํ•ด ๊ทธ๋ฆผ์„ ๊ทธ๋ ค๋ณด๋ฉด

Untitled ์ด๋ ‡๊ฒŒ LILYXO ๋ผ๋Š” ๋ฌธ์ž์—ด์ด ๋‚˜ํƒ€๋‚œ๋‹ค. ์ด ๋ฌธ์ž์—ด์ด FLAG์˜€๋‹ค.



Turtle ๋ชจ๋“ˆ์„ ์‚ฌ์šฉํ•˜์ง€ ์•Š๋”๋ผ๋„ ๋ณ„์ฐ๊ธฐ๋กœ๋„ ํ’€์ด๊ฐ€ ๊ฐ€๋Šฅํ•˜๋‹ค.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39

with open("./frog.txt", "r") as f:
    data = f.readlines()
    f.close()

def parse_text(data):
    x = []
    y = []
    event = []
    for string in data:
        if "event" in string:
            question_split = string.split("?")[1]
            ampersand_split = question_split.split("&")
            x.append(ampersand_split[0].split("=")[1])
            y.append(ampersand_split[1].split("=")[1])
            event.append(ampersand_split[2].split(" ")[0].split("=")[1])    

    print_flag(x, y, event)
    return 0

def print_flag(X, Y, EVENT):
    height = 100
    width = 700
    table = [ [ ' ' for _ in range(width) ]  for _ in range(height) ]
    mousedown = 1
    for i, j, eve in zip(X, Y, EVENT):
        if eve == "mousedown":
            mousedown = 0
        elif eve == "mousemove" and mousedown == 0:
            table[int(j)][int(i)] = "*"
        elif eve == "mouseup":
            mousedown = 1
    for j in table:
        for i in j:
           print(i, end = "")
        print("")



parse_text(data)

Untitled ๊ฐœ์ธ์ ์œผ๋ก  Turtle graphics๋ฅผ ์‚ฌ์šฉํ•˜๋Š”๊ฒŒ ์ข€ ๋” ํŽธํ–ˆ๋˜ ๊ฒƒ ๊ฐ™๋‹ค.

๊ทธ๋ฆผ์„ ๊ทธ๋ฆด ๋•Œ ๋ฐฐ์—ด์€ ์™ผ์ชฝ ์œ„๋ฅผ (0, 0) ์œผ๋กœ ์ฒ˜๋ฆฌํ•˜๋Š”๋ฐ,
Turtle graphics๋ฅผ ์ด์šฉํ•  ๋•Œ์—๋Š” t.goto(int(i), -int(j)) ์ฒ˜๋Ÿผ y์ขŒํ‘œ์— -๋ฅผ ๋ถ™์—ฌ ์Œ์ˆ˜๋กœ ์ฒ˜๋ฆฌํ•ด ์ฃผ์–ด์•ผ ์ •ํ™•ํ•œ ๊ทธ๋ฆผ์ด ๊ทธ๋ ค์ง„๋‹ค.

FLAG : corctf{LILYXOX}

CTF, Writeup
Writeup
This post is licensed under CC BY 4.0 by the author.