{"componentChunkName":"component---src-templates-post-template-js","path":"/ctf-irisctf-2024-en","result":{"data":{"markdownRemark":{"id":"f1e9b8bb-c06f-56ef-843a-aa62ed571c1e","html":"<blockquote>\n<p>This page has been machine-translated from the <a href=\"/ctf-irisctf-2024\">original page</a>.</p>\n</blockquote>\n<p>My first CTF of the new year was IrisCTF again, just like last year.</p>\n<p>Here is a brief writeup.</p>\n<!-- omit in toc -->\n<h2 id=\"table-of-contents\" style=\"position:relative;\"><a href=\"#table-of-contents\" aria-label=\"table of contents permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Table of Contents</h2>\n<ul>\n<li><a href=\"#the-johnsonsrev\">The Johnson’s(Rev)</a></li>\n<li><a href=\"#rune-whats-thatrev\">Rune? What’s that?(Rev)</a></li>\n<li><a href=\"#secure-computingrev\">Secure Computing(Rev)</a></li>\n<li><a href=\"#not-just-mediaforensic\">Not Just Media(Forensic)</a></li>\n<li><a href=\"#wheres-skatnetwork\">Where’s skat?(Network)</a></li>\n<li><a href=\"#summary\">Summary</a></li>\n</ul>\n<h2 id=\"the-johnsonsrev\" style=\"position:relative;\"><a href=\"#the-johnsonsrev\" aria-label=\"the johnsonsrev permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>The Johnson’s(Rev)</h2>\n<blockquote>\n<p>Please socialize with the Johnson’s and get off your phone. You might be quizzed on it!</p>\n</blockquote>\n<p>Analyzing the provided ELF challenge binary showed that it was a program that accepted, in order, strings corresponding to Color and Food.</p>\n<p>Investigating the <code class=\"language-text\">check</code> function revealed that it checks which variables store the IDs corresponding to the input Color and Food values, as shown below.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 658px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/7a78180574087d539f960f6dee9cf594/889a4/image-20240106113116528.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 82.5%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAARCAYAAADdRIy+AAAACXBIWXMAAAsTAAALEwEAmpwYAAABhklEQVQ4y61Ua4/bIBDk///C+35Sr8klxgbDAgueDiSXq1q5anyHNFr5td55gHG+wVpgtopSGvratg1Hl9HamxSiPpr9D/Z+bE4XhXNvSDI/NckeC5NE4SXiSsyEiCCy5lIQcoFNCS5nxCiQGMez2valMdKbJA8rDot4qCo/qGj8SInSUSsymzfe78/+SXmaOI2syCpsoF+nLJKQisBn0tGMymk+oH2yOwonb+Oejul3J4zUZQ4zLiEidN3uOiXqJrxeWD3r+puG/Ue7Da0V6iNDm29xuZuiJZDi3/ptT+TyAyYExYVUfoaAK6u1M9bVwwf/0OqpndK7vi4zXtjodXE4n864Tle8T+/MpA690t2Ynr8Rq2Far93EMqrqLU6GucXZBvwIF5zcxF3jGOpMXRPWUBHkFmzXDePL3cQe+sxU5OwftaelMzJuaZxqg40Td4rFnObR8PDhME2NUSmkxVhoGnRwwIxPU9YGvyoz6InIAJdh74bt0DFmlqWSf/sjLtstMwfWL/SAPWwcbvv9AAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/7a78180574087d539f960f6dee9cf594/8ac56/image-20240106113116528.webp 240w,\n/static/7a78180574087d539f960f6dee9cf594/d3be9/image-20240106113116528.webp 480w,\n/static/7a78180574087d539f960f6dee9cf594/6ad61/image-20240106113116528.webp 658w\"\n              sizes=\"(max-width: 658px) 100vw, 658px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/7a78180574087d539f960f6dee9cf594/8ff5a/image-20240106113116528.png 240w,\n/static/7a78180574087d539f960f6dee9cf594/e85cb/image-20240106113116528.png 480w,\n/static/7a78180574087d539f960f6dee9cf594/889a4/image-20240106113116528.png 658w\"\n            sizes=\"(max-width: 658px) 100vw, 658px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/7a78180574087d539f960f6dee9cf594/889a4/image-20240106113116528.png\"\n            alt=\"image-20240106113116528\"\n            title=\"image-20240106113116528\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Once I organized that check logic, I found that it was performing the following conditions and equality comparisons.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">food<span class=\"token punctuation\">[</span><span class=\"token number\">0</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">==</span> chicken\nfood<span class=\"token punctuation\">[</span><span class=\"token number\">2</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">!=</span> pasta\nfood<span class=\"token punctuation\">[</span><span class=\"token number\">3</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">!=</span> pasta\nfood<span class=\"token punctuation\">[</span><span class=\"token number\">3</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">!=</span> steak\n\ncolor<span class=\"token punctuation\">[</span><span class=\"token number\">0</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">!=</span> green\ncolor<span class=\"token punctuation\">[</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">!=</span> red\ncolor<span class=\"token punctuation\">[</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">!=</span> green\ncolor<span class=\"token punctuation\">[</span><span class=\"token number\">2</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">!=</span> yellow\ncolor<span class=\"token punctuation\">[</span><span class=\"token number\">3</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">==</span> blue</code></pre></div>\n<p>From this, I was able to determine that the required input order to obtain the flag was as follows.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">color<span class=\"token punctuation\">[</span><span class=\"token number\">0</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">==</span> red\ncolor<span class=\"token punctuation\">[</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">==</span> yellow\ncolor<span class=\"token punctuation\">[</span><span class=\"token number\">2</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">==</span> green\ncolor<span class=\"token punctuation\">[</span><span class=\"token number\">3</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">==</span> blue\n\nfood<span class=\"token punctuation\">[</span><span class=\"token number\">0</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">==</span> chicken\nfood<span class=\"token punctuation\">[</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">==</span> pasta\nfood<span class=\"token punctuation\">[</span><span class=\"token number\">2</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">==</span> steak\nfood<span class=\"token punctuation\">[</span><span class=\"token number\">3</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">==</span> pizza</code></pre></div>\n<p>Entering the strings in that order produced the correct flag.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/50bb5ff9861267e94166508a29b4226a/0b6f4/image-20240106113008800.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 30%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAABBUlEQVQY04WRW0+DQBCF961qfPD+ZGKltVrKpW0oFLClQkEEirSiabz8/59x3BmNUWPjw5czO8meObMrVsMUj3bO1FaGtVuyhk0H9kEP7rEB78SE81mPDzVW90jnvr2vMtQf7akQZPAyWeLJKaRpgWqQ8Hntlaj6CZaDW6SdCeaKh6TtI5Yat3wkF9cITi040ogMaQANFXRpoUe4N2M8WHfIujM2KXoh16Uxh7ndgt44h9FQWL9jbCk/EM9+BeJ1usLbrEY9ylip95E6l6t02bS/0/4XQWkoXaGFvGJ6OcVCi2S6ALl6g+wqwHC3s9Hwd1+QEa0cNcdf0IeEZw7X9H5/XdzEO2zJu/KF8/9cAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/50bb5ff9861267e94166508a29b4226a/8ac56/image-20240106113008800.webp 240w,\n/static/50bb5ff9861267e94166508a29b4226a/d3be9/image-20240106113008800.webp 480w,\n/static/50bb5ff9861267e94166508a29b4226a/e46b2/image-20240106113008800.webp 960w,\n/static/50bb5ff9861267e94166508a29b4226a/d4a71/image-20240106113008800.webp 984w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/50bb5ff9861267e94166508a29b4226a/8ff5a/image-20240106113008800.png 240w,\n/static/50bb5ff9861267e94166508a29b4226a/e85cb/image-20240106113008800.png 480w,\n/static/50bb5ff9861267e94166508a29b4226a/d9199/image-20240106113008800.png 960w,\n/static/50bb5ff9861267e94166508a29b4226a/0b6f4/image-20240106113008800.png 984w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/50bb5ff9861267e94166508a29b4226a/d9199/image-20240106113008800.png\"\n            alt=\"image-20240106113008800\"\n            title=\"image-20240106113008800\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h2 id=\"rune-whats-thatrev\" style=\"position:relative;\"><a href=\"#rune-whats-thatrev\" aria-label=\"rune whats thatrev permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Rune? What’s that?(Rev)</h2>\n<blockquote>\n<p>Rune? Like the ancient alphabet?</p>\n</blockquote>\n<p>The challenge provided the following Go script and a mysterious string, <code class=\"language-text\">iÛÛÜÖ×ÚáäÈÑ¥gebªØšÔž’Íãâ£i¥§²ËÅÒÍÈä</code>.</p>\n<div class=\"gatsby-highlight\" data-language=\"go\"><pre class=\"language-go\"><code class=\"language-go\"><span class=\"token keyword\">package</span> main\n\n<span class=\"token keyword\">import</span> <span class=\"token punctuation\">(</span>\n\t<span class=\"token string\">\"fmt\"</span>\n\t<span class=\"token string\">\"os\"</span>\n\t<span class=\"token string\">\"strings\"</span>\n<span class=\"token punctuation\">)</span>\n\n<span class=\"token keyword\">var</span> flag <span class=\"token operator\">=</span> <span class=\"token string\">\"irisctf{this_is_not_the_real_flag}\"</span>\n\n<span class=\"token keyword\">func</span> <span class=\"token function\">init</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n\truned <span class=\"token operator\">:=</span> <span class=\"token punctuation\">[</span><span class=\"token punctuation\">]</span><span class=\"token builtin\">string</span><span class=\"token punctuation\">{</span><span class=\"token punctuation\">}</span>\n\tz <span class=\"token operator\">:=</span> <span class=\"token function\">rune</span><span class=\"token punctuation\">(</span><span class=\"token number\">0</span><span class=\"token punctuation\">)</span>\n\n\t<span class=\"token keyword\">for</span> <span class=\"token boolean\">_</span><span class=\"token punctuation\">,</span> v <span class=\"token operator\">:=</span> <span class=\"token keyword\">range</span> flag <span class=\"token punctuation\">{</span>\n\t\truned <span class=\"token operator\">=</span> <span class=\"token function\">append</span><span class=\"token punctuation\">(</span>runed<span class=\"token punctuation\">,</span> <span class=\"token function\">string</span><span class=\"token punctuation\">(</span>v<span class=\"token operator\">+</span>z<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n\t\tz <span class=\"token operator\">=</span> v\n\t<span class=\"token punctuation\">}</span>\n\n\tflag <span class=\"token operator\">=</span> strings<span class=\"token punctuation\">.</span><span class=\"token function\">Join</span><span class=\"token punctuation\">(</span>runed<span class=\"token punctuation\">,</span> <span class=\"token string\">\"\"</span><span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">}</span>\n\n<span class=\"token keyword\">func</span> <span class=\"token function\">main</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n\tfile<span class=\"token punctuation\">,</span> err <span class=\"token operator\">:=</span> os<span class=\"token punctuation\">.</span><span class=\"token function\">OpenFile</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"the\"</span><span class=\"token punctuation\">,</span> os<span class=\"token punctuation\">.</span>O_RDWR<span class=\"token operator\">|</span>os<span class=\"token punctuation\">.</span>O_CREATE<span class=\"token punctuation\">,</span> <span class=\"token number\">0644</span><span class=\"token punctuation\">)</span>\n\t<span class=\"token keyword\">if</span> err <span class=\"token operator\">!=</span> <span class=\"token boolean\">nil</span> <span class=\"token punctuation\">{</span>\n\t\tfmt<span class=\"token punctuation\">.</span><span class=\"token function\">Println</span><span class=\"token punctuation\">(</span>err<span class=\"token punctuation\">)</span>\n\t\t<span class=\"token keyword\">return</span>\n\t<span class=\"token punctuation\">}</span>\n\n\t<span class=\"token keyword\">defer</span> file<span class=\"token punctuation\">.</span><span class=\"token function\">Close</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n\t<span class=\"token keyword\">if</span> <span class=\"token boolean\">_</span><span class=\"token punctuation\">,</span> err <span class=\"token operator\">:=</span> file<span class=\"token punctuation\">.</span><span class=\"token function\">Write</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">[</span><span class=\"token punctuation\">]</span><span class=\"token function\">byte</span><span class=\"token punctuation\">(</span>flag<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span> err <span class=\"token operator\">!=</span> <span class=\"token boolean\">nil</span> <span class=\"token punctuation\">{</span>\n\t\tfmt<span class=\"token punctuation\">.</span><span class=\"token function\">Println</span><span class=\"token punctuation\">(</span>err<span class=\"token punctuation\">)</span>\n\t\t<span class=\"token keyword\">return</span>\n\t<span class=\"token punctuation\">}</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>Reading the script shows that it transforms the flag string defined in the <code class=\"language-text\">flag</code> variable and outputs the resulting gibberish string that was given in the challenge.</p>\n<p>Looking more closely at the transformation, it simply adds each character to the previous one and displays the result as a Unicode character.</p>\n<p>So I used the following script to determine that the correct flag was <code class=\"language-text\">irisctf{i_r3411y_1ik3_num63r5}</code>.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">def</span> <span class=\"token function\">decode_string</span><span class=\"token punctuation\">(</span>encoded_string<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    decoded_chars <span class=\"token operator\">=</span> <span class=\"token punctuation\">[</span><span class=\"token punctuation\">]</span>\n    previous_char_unicode <span class=\"token operator\">=</span> <span class=\"token number\">0</span>\n\n    <span class=\"token keyword\">for</span> char <span class=\"token keyword\">in</span> encoded_string<span class=\"token punctuation\">:</span>\n        original_char_unicode <span class=\"token operator\">=</span> <span class=\"token builtin\">ord</span><span class=\"token punctuation\">(</span>char<span class=\"token punctuation\">)</span> <span class=\"token operator\">-</span> previous_char_unicode\n        original_char <span class=\"token operator\">=</span> <span class=\"token builtin\">chr</span><span class=\"token punctuation\">(</span>original_char_unicode<span class=\"token punctuation\">)</span>\n        decoded_chars<span class=\"token punctuation\">.</span>append<span class=\"token punctuation\">(</span>original_char<span class=\"token punctuation\">)</span>\n        previous_char_unicode <span class=\"token operator\">=</span> <span class=\"token builtin\">ord</span><span class=\"token punctuation\">(</span>original_char<span class=\"token punctuation\">)</span>\n\n    <span class=\"token keyword\">return</span> <span class=\"token string\">''</span><span class=\"token punctuation\">.</span>join<span class=\"token punctuation\">(</span>decoded_chars<span class=\"token punctuation\">)</span>\n\nencoded_string <span class=\"token operator\">=</span> <span class=\"token string\">r'iÛÛÜÖ×ÚáäÈÑ¥gebªØšÔž’Íãâ£i¥§²ËÅÒÍÈä'</span>\noriginal_string <span class=\"token operator\">=</span> decode_string<span class=\"token punctuation\">(</span>encoded_string<span class=\"token punctuation\">)</span>\n<span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span>original_string<span class=\"token punctuation\">)</span></code></pre></div>\n<h2 id=\"secure-computingrev\" style=\"position:relative;\"><a href=\"#secure-computingrev\" aria-label=\"secure computingrev permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Secure Computing(Rev)</h2>\n<blockquote>\n<p>Your own secure computer can check the flag! Might have forgotten to add the logic to the program, but I think if you guess enough, you can figure it out. Not sure</p>\n</blockquote>\n<p>The challenge provided an ELF binary named <code class=\"language-text\">chal</code>, the following C code, and a Dockerfile.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token comment\">// Here's a snippet of the source code for you</span>\n<span class=\"token keyword\">int</span> <span class=\"token function\">main</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n    <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Guess: \"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">char</span> flag<span class=\"token punctuation\">[</span><span class=\"token number\">49</span><span class=\"token operator\">+</span><span class=\"token number\">8</span><span class=\"token operator\">+</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> <span class=\"token punctuation\">{</span><span class=\"token number\">0</span><span class=\"token punctuation\">}</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">if</span><span class=\"token punctuation\">(</span><span class=\"token function\">scanf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"%57s\"</span><span class=\"token punctuation\">,</span> flag<span class=\"token punctuation\">)</span> <span class=\"token operator\">!=</span> <span class=\"token number\">1</span> <span class=\"token operator\">||</span> <span class=\"token function\">strlen</span><span class=\"token punctuation\">(</span>flag<span class=\"token punctuation\">)</span> <span class=\"token operator\">!=</span> <span class=\"token number\">57</span> <span class=\"token operator\">||</span> <span class=\"token function\">strncmp</span><span class=\"token punctuation\">(</span>flag<span class=\"token punctuation\">,</span> <span class=\"token string\">\"irisctf{\"</span><span class=\"token punctuation\">,</span> <span class=\"token number\">8</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">!=</span> <span class=\"token number\">0</span> <span class=\"token operator\">||</span> <span class=\"token function\">strncmp</span><span class=\"token punctuation\">(</span>flag <span class=\"token operator\">+</span> <span class=\"token number\">56</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"}\"</span><span class=\"token punctuation\">,</span> <span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n        <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Guess harder\\n\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n        <span class=\"token keyword\">return</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n    <span class=\"token punctuation\">}</span>\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">define</span> <span class=\"token macro-name function\">flg</span><span class=\"token expression\"><span class=\"token punctuation\">(</span>n<span class=\"token punctuation\">)</span> <span class=\"token operator\">*</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span>__uint64_t<span class=\"token operator\">*</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span>flag<span class=\"token operator\">+</span><span class=\"token number\">8</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token operator\">+</span>n<span class=\"token punctuation\">)</span></span></span>\n    <span class=\"token function\">syscall</span><span class=\"token punctuation\">(</span><span class=\"token number\">0x1337</span><span class=\"token punctuation\">,</span> <span class=\"token function\">flg</span><span class=\"token punctuation\">(</span><span class=\"token number\">0</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> <span class=\"token function\">flg</span><span class=\"token punctuation\">(</span><span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> <span class=\"token function\">flg</span><span class=\"token punctuation\">(</span><span class=\"token number\">2</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> <span class=\"token function\">flg</span><span class=\"token punctuation\">(</span><span class=\"token number\">3</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> <span class=\"token function\">flg</span><span class=\"token punctuation\">(</span><span class=\"token number\">4</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> <span class=\"token function\">flg</span><span class=\"token punctuation\">(</span><span class=\"token number\">5</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Maybe? idk bro\\n\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n    <span class=\"token keyword\">return</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<div class=\"gatsby-highlight\" data-language=\"dockerfile\"><pre class=\"language-dockerfile\"><code class=\"language-dockerfile\"><span class=\"token instruction\"><span class=\"token keyword\">FROM</span> ubuntu:latest</span>\n\n<span class=\"token instruction\"><span class=\"token keyword\">RUN</span> apt update &amp;&amp; apt install -y gdbserver</span>\n\n<span class=\"token instruction\"><span class=\"token keyword\">COPY</span> chal /</span>\n<span class=\"token instruction\"><span class=\"token keyword\">CMD</span> /chal</span></code></pre></div>\n<p>Analyzing the provided binary in Ghidra showed that it seemed to match the C code supplied with the challenge.</p>\n<p>It accepts a 57-character input that starts with <code class=\"language-text\">irisctf{</code> and ends with <code class=\"language-text\">}</code>.</p>\n<p>Then, via <code class=\"language-text\">flg(n)</code> as defined by <code class=\"language-text\">#define flg(n) *((__uint64_t*)((flag+8))+n)</code>, characters 8 through 56 of the flag are passed to the <code class=\"language-text\">syscall</code> function as arguments in 8-character chunks.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 743px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/d185f859eca5826bae59564fff586d6a/f2793/image-20240110120644240.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 116.66666666666667%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAXCAIAAACEf/j0AAAACXBIWXMAAAsTAAALEwEAmpwYAAACDElEQVQ4y52UO2/bMBSF9f/HAl0SpAXaKVOmdsqUpQlQBwWah10jjq0XZVmWSPGSl2+VdtCiS2KrBwQpXPCDLg4PmZye3rx/d31ycvPxw+Ts7Punz5Pz8x8XFz+/fL2/vJxeXc2/XT9Nbpd3d+mvebFcknXVPJNnUld5SZKm3ngYPA6DtkG5IIegBi93w4l9/XUlaUZ68JwPjBVK1btaiIrzn/EGXJaVsd5aFd7c9wpM6qaTHEgYTydZRrbUcJ4itmP5JE3LqlEd3WhNUYF1bgy8ylLiSI2IVcvWAnf+hiEc2XaREluuBeclIhvVeJLlBQiD2Dun/sOwaFUHILkwIKVWTOsejUSjjoDTjDHeNJwJCaY3NjLeBx91GF6tUqUqEJuWaQ6DQMEVjGhbYgVAl7le5aZqm4LWxjvvtTt0bBHOhegYa9tOA/dCGWmdNMZaYa05AOd5qbAXsjOGB6/HuZ3nuVZBCCqx46CE8GPgrPBBcV7FkABsJXqj0XsTc3ow6klRFFLadrsFqCm0PWC8nj4454+A86Kw1jNa1RuotjSaR4FRbAB7bUwI/u/j8KJ/PnbxzONCO9f2LYU167esZ1J0iJQDVwjGCCmj/VzreGvQWIhFrc2LYUVcutbXdF13FVd8hGGTye1sNnu4nz0+PE6ns/l8vnh6WiwWz3ut9kr3ymIk4q/2KsuSEPIbb/Uz8Mjdi9kAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/d185f859eca5826bae59564fff586d6a/8ac56/image-20240110120644240.webp 240w,\n/static/d185f859eca5826bae59564fff586d6a/d3be9/image-20240110120644240.webp 480w,\n/static/d185f859eca5826bae59564fff586d6a/53666/image-20240110120644240.webp 743w\"\n              sizes=\"(max-width: 743px) 100vw, 743px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/d185f859eca5826bae59564fff586d6a/8ff5a/image-20240110120644240.png 240w,\n/static/d185f859eca5826bae59564fff586d6a/e85cb/image-20240110120644240.png 480w,\n/static/d185f859eca5826bae59564fff586d6a/f2793/image-20240110120644240.png 743w\"\n            sizes=\"(max-width: 743px) 100vw, 743px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/d185f859eca5826bae59564fff586d6a/f2793/image-20240110120644240.png\"\n            alt=\"image-20240110120644240\"\n            title=\"image-20240110120644240\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>The actual processing of the flag string appears to happen in the <code class=\"language-text\">syscall</code> function invoked with <code class=\"language-text\">0x1337</code>, but from this alone it is not clear what that syscall does.</p>\n<p>Since <code class=\"language-text\">0x1337</code> does not look like a standard Linux syscall, it seemed likely that it was defined somewhere specially.</p>\n<p>However, judging from the Dockerfile for the challenge binary, the image used to run it is the official Ubuntu image, and it does not appear to add anything like a kernel module.</p>\n<p>After puzzling over it for a bit, I realized that it apparently was not actually executing any real handler for syscall <code class=\"language-text\">0x1337</code>.</p>\n<p>One approach that lets a program control what happens when a system call is made is <code class=\"language-text\">seccomp</code>.</p>\n<p>The Linux kernel introduced a mechanism called <code class=\"language-text\">seccomp</code> in version 2.6.12.</p>\n<p><code class=\"language-text\">seccomp</code> is a feature that improves security by restricting the system calls an application can execute.</p>\n<p>With <code class=\"language-text\">seccomp</code>, the system calls a process may execute are controlled in a whitelist format.</p>\n<p>Because of this mechanism, when a process issues a system call, actions such as deciding whether execution is allowed are carried out through the <code class=\"language-text\">seccomp</code> filter.</p>\n<p>The following article was helpful for the details.</p>\n<p>Reference: <a href=\"https://zenn.dev/yurayake/articles/432d6b1b02727c\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Restrict system calls issued by your own process using seccomp</a></p>\n<p>As described in the article above, <code class=\"language-text\">seccomp</code> filters can be added with <code class=\"language-text\">prctl</code>.</p>\n<p>In the program used in that article, the <code class=\"language-text\">seccomp-tools dump</code> tool could be used to list the <code class=\"language-text\">seccomp</code> filters, but that method could not be used with this challenge binary.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token function\">sudo</span> <span class=\"token function\">apt</span> <span class=\"token function\">install</span> gcc ruby-dev -y\n<span class=\"token function\">sudo</span> gem <span class=\"token function\">install</span> seccomp-tool\nseccomp-tools dump ./a.out</code></pre></div>\n<p>Reference: <a href=\"https://github.com/david942j/seccomp-tools\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">david942j/seccomp-tools: Provide powerful tools for seccomp analysis</a></p>\n<p>To determine what kind of <code class=\"language-text\">seccomp</code> filters were registered, I analyzed the binary.</p>\n<p>Looking at the call to <code class=\"language-text\">__libc_start_main</code> in Ghidra’s decompiled <code class=\"language-text\">entry</code> function, I saw that something was defined in the fourth and fifth arguments corresponding to <code class=\"language-text\">init</code> and <code class=\"language-text\">fini</code>.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token keyword\">void</span> <span class=\"token function\">FUN_555555400a20</span><span class=\"token punctuation\">(</span>undefined8 param_1<span class=\"token punctuation\">,</span>undefined8 param_2<span class=\"token punctuation\">,</span>undefined8 param_3<span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">{</span>\n  undefined8 unaff_retaddr<span class=\"token punctuation\">;</span>\n  undefined auStack_8 <span class=\"token punctuation\">[</span><span class=\"token number\">8</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">;</span>\n  <span class=\"token function\">__libc_start_main</span><span class=\"token punctuation\">(</span>main<span class=\"token punctuation\">,</span>unaff_retaddr<span class=\"token punctuation\">,</span><span class=\"token operator\">&amp;</span>stack0x00000008<span class=\"token punctuation\">,</span>FUN_555555400b30<span class=\"token punctuation\">,</span>FUN_555555400ba0<span class=\"token punctuation\">,</span>param_3<span class=\"token punctuation\">,</span>\n                    auStack_8<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">do</span> <span class=\"token punctuation\">{</span>\n                    <span class=\"token comment\">/* WARNING: Do nothing block with infinite loop */</span>\n  <span class=\"token punctuation\">}</span> <span class=\"token keyword\">while</span><span class=\"token punctuation\">(</span> true <span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>In <code class=\"language-text\">__libc_start_main</code>, <code class=\"language-text\">init</code> refers to an initialization function. If <code class=\"language-text\">init</code> is defined, some processing is called before the <code class=\"language-text\">main</code> function runs. In general, this is where things like global-variable initialization are executed.</p>\n<p>Reference: <a href=\"https://refspecs.linuxbase.org/LSB_3.1.1/LSB-Core-generic/LSB-Core-generic/baselib---libc-start-main-.html\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">_<em>libc</em>start_main</a></p>\n<p>In Ghidra, the function specified in <code class=\"language-text\">init</code> could be referenced as <code class=\"language-text\">__DT_INIT_ARRAY</code>.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/1e1e387037a05df63afe072d596abb8e/1f038/image-20240113221338303.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 32.916666666666664%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAYAAAAIy204AAAACXBIWXMAAAsTAAALEwEAmpwYAAABK0lEQVQoz12RiW7DIBBE/f/fV7VqpTSqEt82NtiYY4HpQpSkzUrD+IDHsFRCEZYtYpYOqybIIxQpk8XfVeL3BO2Buumg1AFrAcPyNsK6yB74WwSxVy0vuM6Ez9OG76vBuba4TIRGRlZCp4CWvWVv+hly3UDBgZFIKYAHpJiK56o6BjZLwM/gUa+hgDKgXgnnecdbO+C9G/HVS9TthGlS2PaBE5/hSZdUZAiBAjKyahZCx5BOBoxLwsQbjDtry1CDj77HaRS4CIOmm7ApfQtzC/SvEv+orCWY3C9pQdzLaBIiH8EHKnLBw5Ll5wghFnjvHotfVY6cB/IBS79DM/RQDHY5/nPSPY4Qgi/hCfzr9yrAwLub3IcYHxMoEvdJ86X0EHrB4Y6S0L0AX+sXm+Qget0kRo4AAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/1e1e387037a05df63afe072d596abb8e/8ac56/image-20240113221338303.webp 240w,\n/static/1e1e387037a05df63afe072d596abb8e/d3be9/image-20240113221338303.webp 480w,\n/static/1e1e387037a05df63afe072d596abb8e/e46b2/image-20240113221338303.webp 960w,\n/static/1e1e387037a05df63afe072d596abb8e/f992d/image-20240113221338303.webp 1440w,\n/static/1e1e387037a05df63afe072d596abb8e/42d7d/image-20240113221338303.webp 1481w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/1e1e387037a05df63afe072d596abb8e/8ff5a/image-20240113221338303.png 240w,\n/static/1e1e387037a05df63afe072d596abb8e/e85cb/image-20240113221338303.png 480w,\n/static/1e1e387037a05df63afe072d596abb8e/d9199/image-20240113221338303.png 960w,\n/static/1e1e387037a05df63afe072d596abb8e/07a9c/image-20240113221338303.png 1440w,\n/static/1e1e387037a05df63afe072d596abb8e/1f038/image-20240113221338303.png 1481w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/1e1e387037a05df63afe072d596abb8e/d9199/image-20240113221338303.png\"\n            alt=\"image-20240113221338303\"\n            title=\"image-20240113221338303\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>From this, we can see that the following code using <code class=\"language-text\">prctl</code> is called when the program starts.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token keyword\">void</span> <span class=\"token function\">init_unkown</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">void</span><span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">{</span>\n  <span class=\"token keyword\">long</span> lVar1<span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">long</span> in_FS_OFFSET<span class=\"token punctuation\">;</span>\n  undefined2 local_48 <span class=\"token punctuation\">[</span><span class=\"token number\">4</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">;</span>\n  undefined8 local_40<span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">long</span> local_30<span class=\"token punctuation\">;</span>\n  \n  local_30 <span class=\"token operator\">=</span> <span class=\"token operator\">*</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">long</span> <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">(</span>in_FS_OFFSET <span class=\"token operator\">+</span> <span class=\"token number\">0x28</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  lVar1 <span class=\"token operator\">=</span> <span class=\"token function\">ptrace</span><span class=\"token punctuation\">(</span>PTRACE_TRACEME<span class=\"token punctuation\">,</span><span class=\"token number\">0</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span><span class=\"token operator\">-</span><span class=\"token number\">1</span> <span class=\"token operator\">&lt;</span> lVar1<span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n    lVar1 <span class=\"token operator\">=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n    <span class=\"token function\">prctl</span><span class=\"token punctuation\">(</span><span class=\"token number\">0x26</span><span class=\"token punctuation\">,</span><span class=\"token number\">1</span><span class=\"token punctuation\">,</span><span class=\"token number\">0</span><span class=\"token punctuation\">,</span><span class=\"token number\">0</span><span class=\"token punctuation\">,</span><span class=\"token number\">0</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">do</span> <span class=\"token punctuation\">{</span>\n      local_48<span class=\"token punctuation\">[</span><span class=\"token number\">0</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span>undefined2<span class=\"token punctuation\">)</span><span class=\"token operator\">*</span><span class=\"token punctuation\">(</span>undefined8 <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">long</span><span class=\"token punctuation\">)</span><span class=\"token operator\">&amp;</span>DAT_555555602020 <span class=\"token operator\">+</span> lVar1<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n      local_40 <span class=\"token operator\">=</span> <span class=\"token operator\">*</span><span class=\"token punctuation\">(</span>undefined8 <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">long</span><span class=\"token punctuation\">)</span><span class=\"token operator\">&amp;</span>PTR_DAT_55555563d560 <span class=\"token operator\">+</span> lVar1<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n      lVar1 <span class=\"token operator\">=</span> lVar1 <span class=\"token operator\">+</span> <span class=\"token number\">8</span><span class=\"token punctuation\">;</span>\n      <span class=\"token function\">syscall</span><span class=\"token punctuation\">(</span><span class=\"token number\">0x13d</span><span class=\"token punctuation\">,</span><span class=\"token number\">1</span><span class=\"token punctuation\">,</span><span class=\"token number\">0</span><span class=\"token punctuation\">,</span>local_48<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token punctuation\">}</span> <span class=\"token keyword\">while</span> <span class=\"token punctuation\">(</span>lVar1 <span class=\"token operator\">!=</span> <span class=\"token number\">0x40</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token punctuation\">}</span>\n  <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>local_30 <span class=\"token operator\">==</span> <span class=\"token operator\">*</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">long</span> <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">(</span>in_FS_OFFSET <span class=\"token operator\">+</span> <span class=\"token number\">0x28</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n    <span class=\"token keyword\">return</span><span class=\"token punctuation\">;</span>\n  <span class=\"token punctuation\">}</span>\n                    <span class=\"token comment\">/* WARNING: Subroutine does not return */</span>\n  <span class=\"token function\">__stack_chk_fail</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>It appears to register the <code class=\"language-text\">seccomp</code> filters here.</p>\n<p>First, judging from the actual code, it looks like the <code class=\"language-text\">seccomp</code> filters are being registered at the line <code class=\"language-text\">syscall(0x13d,1,0,local_48);</code> inside the <code class=\"language-text\">while</code> loop.</p>\n<p>I could not find any information on the ID <code class=\"language-text\">0x13d</code>, but because the fourth argument is a <code class=\"language-text\">seccomp</code> filter, it can be inferred that this corresponds to a call to <code class=\"language-text\">syscall(SYS_seccomp, SECCOMP_SET_MODE_FILTER, 0, &amp;prog)</code>.</p>\n<p>Reference: <a href=\"https://man7.org/linux/man-pages/man2/seccomp.2.html\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">seccomp(2) - Linux manual page</a></p>\n<p>This code is called <code class=\"language-text\">0x40 / 8</code> times inside the <code class=\"language-text\">while</code> loop, that is, 8 times.</p>\n<p>Looking at the section at <code class=\"language-text\">&amp;PTR_DAT_55555563d560</code>, I confirmed that it lists the addresses of eight memory regions beginning with <code class=\"language-text\">20 00 00 00 ...</code>, that is, <code class=\"language-text\">A = sys_number</code>.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 433px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/1a0b3c36b5a03f0391c3a4a5fb4cf051/55fc0/image-20240114174453793.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 43.75%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAABmUlEQVQoz1WRiZKkIBBE/f+fmz0idrZH8aTF9sCrVTwgt4CeiVkiyhKtemQWwY1VePtb4OeHwI8bR8QVboXBe6rBhIaYDHh34u19QEG5WYCQr/gdTfgVTtQzUO+IP8kTYtQI1m3Hczu+Yt01VmWwUGy7cftFXRif/t/22g8z1a8Xlu3ymb6p0yC4rhPnceC6Lth3ozWMAfRFD1pDv+LORxdVNUOICbwY3P44qOfU0NqHXUFVVYjjBGlWIE0StM2GtgXqh8E4eqjaTrCogyIVdnXtQrU98nxAQjnLejpoJigpFKVAFDGCpsjSlIoVGgI+CCilgT14Vyc+bu1/wCSRSNMejHXU1+N+nzzw8VKYkcI8ywjigXVtMM8v4H4iiSVlD5RycaqsQgu1I3AKaVZBWZYIw5BOzAjMnOWmASrhgXaeFhh/syy7xY0gpkMYkw7Mi5FqrWUh6CP7Ajb15i1XBhPN0E5RkeXwm2WnkJR5yx545y/LDcnJ8wKclyjy3FmWkubU+Uv5tGwv4dOyvXkHobkVlEvKdb044D8RJ6sLMyywGQAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/1a0b3c36b5a03f0391c3a4a5fb4cf051/8ac56/image-20240114174453793.webp 240w,\n/static/1a0b3c36b5a03f0391c3a4a5fb4cf051/aff3a/image-20240114174453793.webp 433w\"\n              sizes=\"(max-width: 433px) 100vw, 433px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/1a0b3c36b5a03f0391c3a4a5fb4cf051/8ff5a/image-20240114174453793.png 240w,\n/static/1a0b3c36b5a03f0391c3a4a5fb4cf051/55fc0/image-20240114174453793.png 433w\"\n            sizes=\"(max-width: 433px) 100vw, 433px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/1a0b3c36b5a03f0391c3a4a5fb4cf051/55fc0/image-20240114174453793.png\"\n            alt=\"image-20240114174453793\"\n            title=\"image-20240114174453793\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>In other words, this program appears to register eight <code class=\"language-text\">seccomp</code> filters at startup.</p>\n<p>It looked like I could extract each filter by pulling out the eight filters individually and using <code class=\"language-text\">seccomp-tools disasm --no-bpf</code>, but I gave up because I could not determine the end of each one.</p>\n<p>So I analyzed the code further in order to obtain output from <code class=\"language-text\">seccomp-tools dump</code> after all.</p>\n<p>It seems that <code class=\"language-text\">seccomp-tools dump</code> extracts the <code class=\"language-text\">seccomp</code> filters by running the program and attaching with <code class=\"language-text\">ptrace</code>.</p>\n<p>Looking back at the code above, the line <code class=\"language-text\">ptrace(PTRACE_TRACEME,0);</code> adds anti-debugging functionality.</p>\n<p>In other words, when <code class=\"language-text\">seccomp-tools</code> uses <code class=\"language-text\">ptrace</code>, the filter-registration process is skipped, which explains why <code class=\"language-text\">seccomp-tools dump</code> had failed to output the filters earlier.</p>\n<p>So I patched the binary in Ghidra and disabled all of this anti-debugging logic.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 769px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/63e2e7ca423ab1330419bbf01690ff7a/227ba/image-20240113222332408.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 26.666666666666668%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA+UlEQVQY042Oy06DYBBGef8X6EpN3BjTWutlYaISDKBx0YW3qIUWErUUqG0VChR+OP6lxsvCxEzOfJOZ5GSUS8dEtTQunq+5nbv0GdAN77mbWzwWD9zEV/QKC0vY9HJ7NZd97D9QNobrNAYN1rwtdkSHPdpsvjbZTlp02KXeVO1/oxwEh7TcJvv+MWpmco7O0VTlNDlDrzS04gQTQ+6NOo1Kl/0nv0sJ/ADXcRmN3phOoCohes9YLEqyNOXlKcQbRkzGCUUujxXfLENmKcovFL8WOlI4YxwiRTCbJqSpQIgE3w/lLcbzIsIwJs/Fp2hlFEKQZcsHFvX8ASataxdeHXvNAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/63e2e7ca423ab1330419bbf01690ff7a/8ac56/image-20240113222332408.webp 240w,\n/static/63e2e7ca423ab1330419bbf01690ff7a/d3be9/image-20240113222332408.webp 480w,\n/static/63e2e7ca423ab1330419bbf01690ff7a/85eee/image-20240113222332408.webp 769w\"\n              sizes=\"(max-width: 769px) 100vw, 769px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/63e2e7ca423ab1330419bbf01690ff7a/8ff5a/image-20240113222332408.png 240w,\n/static/63e2e7ca423ab1330419bbf01690ff7a/e85cb/image-20240113222332408.png 480w,\n/static/63e2e7ca423ab1330419bbf01690ff7a/227ba/image-20240113222332408.png 769w\"\n            sizes=\"(max-width: 769px) 100vw, 769px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/63e2e7ca423ab1330419bbf01690ff7a/227ba/image-20240113222332408.png\"\n            alt=\"image-20240113222332408\"\n            title=\"image-20240113222332408\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>After that, I was able to dump the filters with the <code class=\"language-text\">seccomp-tools dump</code> command.</p>\n<p>The filter output was enormous, so I am only including a portion of it.</p>\n<p>In broad terms, it first checks whether the system call ID is <code class=\"language-text\">0x1337</code>, then repeatedly performs operations on certain values, and finally compares them against specific values.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">$ seccomp-tools dump ./chal_patched\n\nline  CODE  JT   JF      K\n<span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">=</span>\n 0000: 0x20 0x00 0x00 0x00000000  A <span class=\"token operator\">=</span> sys_number\n 0001: 0x15 0x01 0x00 0x00001337  <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>A <span class=\"token operator\">==</span> 0x1337<span class=\"token punctuation\">)</span> goto 0003\n 0002: 0x06 0x00 0x00 0x7fff0000  <span class=\"token builtin class-name\">return</span> ALLOW\n 0003: 0x03 0x00 0x00 0x0000000b  mem<span class=\"token punctuation\">[</span><span class=\"token number\">11</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> X\n 0004: 0x04 0x00 0x00 0x9a0b31d4  A <span class=\"token operator\">+=</span> 0x9a0b31d4\n 0005: 0x04 0x00 0x00 0x5245d02a  A <span class=\"token operator\">+=</span> 0x5245d02a\n 0006: 0x1c 0x00 0x00 0x00000000  A -<span class=\"token operator\">=</span> X\n 0007: 0x04 0x00 0x00 0x7d5a280a  A <span class=\"token operator\">+=</span> 0x7d5a280a\n 0008: 0x1c 0x00 0x00 0x00000000  A -<span class=\"token operator\">=</span> X\n 0009: 0x24 0x00 0x00 0x000081af  A *<span class=\"token operator\">=</span> 0x81af\n 0010: 0x03 0x00 0x00 0x00000003  mem<span class=\"token punctuation\">[</span><span class=\"token number\">3</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> X\n**\n <span class=\"token number\">2692</span>: 0x04 0x00 0x00 0xb06bedbc  A <span class=\"token operator\">+=</span> 0xb06bedbc\n <span class=\"token number\">2693</span>: 0x20 0x00 0x00 0x0000001c  A <span class=\"token operator\">=</span> args<span class=\"token punctuation\">[</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">>></span> <span class=\"token number\">32</span>\n <span class=\"token number\">2694</span>: 0x44 0x00 0x00 0xc7fdf7c2  A <span class=\"token operator\">|</span><span class=\"token operator\">=</span> 0xc7fdf7c2\n <span class=\"token number\">2695</span>: 0x04 0x00 0x00 0x88410078  A <span class=\"token operator\">+=</span> 0x88410078\n**\n <span class=\"token number\">3791</span>: 0x60 0x00 0x00 0x0000000f  A <span class=\"token operator\">=</span> mem<span class=\"token punctuation\">[</span><span class=\"token number\">15</span><span class=\"token punctuation\">]</span>\n <span class=\"token number\">3792</span>: 0x15 0x00 0x01 0xd101957e  <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>A <span class=\"token operator\">!=</span> <span class=\"token number\">3506541950</span><span class=\"token punctuation\">)</span> goto <span class=\"token number\">3794</span>\n <span class=\"token number\">3793</span>: 0x06 0x00 0x00 0x00050000  <span class=\"token builtin class-name\">return</span> ERRNO<span class=\"token punctuation\">(</span><span class=\"token number\">0</span><span class=\"token punctuation\">)</span>\n <span class=\"token number\">3794</span>: 0x06 0x00 0x00 0x00000000  <span class=\"token builtin class-name\">return</span> KILL</code></pre></div>\n<p>If this check fails, <code class=\"language-text\">seccomp</code> terminates the thread, and if it succeeds, it appears to return true.</p>\n<p>Let’s look at a few of the variables.</p>\n<p>First, <code class=\"language-text\">arg[]</code> appears to be treated as an array variable indexed from 0 to 5.</p>\n<p>This likely corresponds to the flag characters passed in <code class=\"language-text\">syscall(0x1337, flg(0), flg(1), flg(2), flg(3), flg(4), flg(5));</code>, split into 8-character values.</p>\n<p>Next, <code class=\"language-text\">A</code> and <code class=\"language-text\">X</code> are most likely temporary variables used like registers.</p>\n<p>Finally, <code class=\"language-text\">mem[]</code> is an array variable indexed from 0 to 15.</p>\n<p>The final comparisons against hardcoded values are performed on each element of this <code class=\"language-text\">mem</code> array.</p>\n<p>For that reason, I expected that the input flag characters were being transformed somehow and stored in <code class=\"language-text\">mem</code>.</p>\n<p>Judging from the actual processing, it looked like this computation itself could be solved with Z3.</p>\n<p>However, I gave up on manually converting nearly 4,000 lines of processing into Z3.</p>\n<p>So, using a solver shared on Discord as a reference, I wrote a program that automatically generated Z3 constraints from this output and recovered the flag.</p>\n<p>First, use the following command to remove the unnecessary parts from the output of <code class=\"language-text\">seccomp-tools dump</code>.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">seccomp-tools dump ./chal_patched -l <span class=\"token number\">8</span> <span class=\"token operator\">|</span> <span class=\"token function\">grep</span> -Pv <span class=\"token string\">\"=======|CODE\"</span> <span class=\"token operator\">></span> seccomp_filter.txt</code></pre></div>\n<p>Next, set up the initial values.</p>\n<p>For the <code class=\"language-text\">arch</code> variable, set the value of <code class=\"language-text\">AUDIT_ARCH_X86_64</code>.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">from</span> z3 <span class=\"token keyword\">import</span> <span class=\"token operator\">*</span>\n\ns <span class=\"token operator\">=</span> Solver<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n<span class=\"token keyword\">def</span> <span class=\"token function\">add_cons</span><span class=\"token punctuation\">(</span>v<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    s<span class=\"token punctuation\">.</span>add<span class=\"token punctuation\">(</span>And<span class=\"token punctuation\">(</span>v <span class=\"token operator\">></span> <span class=\"token builtin\">ord</span><span class=\"token punctuation\">(</span><span class=\"token string\">' '</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> v <span class=\"token operator\">&lt;=</span> <span class=\"token builtin\">ord</span><span class=\"token punctuation\">(</span><span class=\"token string\">'~'</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n\nmem <span class=\"token operator\">=</span> <span class=\"token punctuation\">[</span><span class=\"token number\">0</span><span class=\"token punctuation\">,</span> <span class=\"token punctuation\">]</span><span class=\"token operator\">*</span><span class=\"token number\">16</span>\nX <span class=\"token operator\">=</span> <span class=\"token number\">0</span>\nA <span class=\"token operator\">=</span> <span class=\"token number\">0</span>\nsys_number <span class=\"token operator\">=</span> <span class=\"token number\">0x1337</span>\narch <span class=\"token operator\">=</span> <span class=\"token number\">0xc000003e</span> <span class=\"token comment\"># AUDIT_ARCH_X86_64</span>\n\n<span class=\"token comment\"># bpf is 32 bits</span>\nargs <span class=\"token operator\">=</span> <span class=\"token punctuation\">[</span><span class=\"token punctuation\">]</span>       <span class=\"token comment\"># low DWORD</span>\nargs2 <span class=\"token operator\">=</span> <span class=\"token punctuation\">[</span><span class=\"token punctuation\">]</span>      <span class=\"token comment\"># hight DWORDs</span></code></pre></div>\n<p>In the next part, define six values from 0 to 5 for <code class=\"language-text\">arg</code> and <code class=\"language-text\">arg_2</code>.</p>\n<p>Then split each of them into 4 bytes and apply Printable ASCII constraints byte by byte.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token comment\"># args is lower DWORD</span>\n<span class=\"token keyword\">for</span> x <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span><span class=\"token number\">6</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    v <span class=\"token operator\">=</span> BitVec<span class=\"token punctuation\">(</span><span class=\"token string\">\"arg%d\"</span><span class=\"token operator\">%</span>x<span class=\"token punctuation\">,</span> <span class=\"token number\">32</span><span class=\"token punctuation\">)</span>\n    args<span class=\"token punctuation\">.</span>append<span class=\"token punctuation\">(</span>v<span class=\"token punctuation\">)</span>\n    add_cons<span class=\"token punctuation\">(</span>Extract<span class=\"token punctuation\">(</span><span class=\"token number\">7</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">,</span> v<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n    add_cons<span class=\"token punctuation\">(</span>Extract<span class=\"token punctuation\">(</span><span class=\"token number\">15</span><span class=\"token punctuation\">,</span> <span class=\"token number\">8</span><span class=\"token punctuation\">,</span> v<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n    add_cons<span class=\"token punctuation\">(</span>Extract<span class=\"token punctuation\">(</span><span class=\"token number\">23</span><span class=\"token punctuation\">,</span> <span class=\"token number\">16</span><span class=\"token punctuation\">,</span> v<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n    add_cons<span class=\"token punctuation\">(</span>Extract<span class=\"token punctuation\">(</span><span class=\"token number\">31</span><span class=\"token punctuation\">,</span> <span class=\"token number\">24</span><span class=\"token punctuation\">,</span> v<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># args2 is upper DWORD</span>\n<span class=\"token keyword\">for</span> x <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span><span class=\"token number\">6</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    v <span class=\"token operator\">=</span> BitVec<span class=\"token punctuation\">(</span><span class=\"token string\">\"arg_2%d\"</span><span class=\"token operator\">%</span>x<span class=\"token punctuation\">,</span> <span class=\"token number\">32</span><span class=\"token punctuation\">)</span>\n    args2<span class=\"token punctuation\">.</span>append<span class=\"token punctuation\">(</span>v<span class=\"token punctuation\">)</span>\n    add_cons<span class=\"token punctuation\">(</span>Extract<span class=\"token punctuation\">(</span><span class=\"token number\">7</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">,</span> v<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n    add_cons<span class=\"token punctuation\">(</span>Extract<span class=\"token punctuation\">(</span><span class=\"token number\">15</span><span class=\"token punctuation\">,</span> <span class=\"token number\">8</span><span class=\"token punctuation\">,</span> v<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n    add_cons<span class=\"token punctuation\">(</span>Extract<span class=\"token punctuation\">(</span><span class=\"token number\">23</span><span class=\"token punctuation\">,</span> <span class=\"token number\">16</span><span class=\"token punctuation\">,</span> v<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n    add_cons<span class=\"token punctuation\">(</span>Extract<span class=\"token punctuation\">(</span><span class=\"token number\">31</span><span class=\"token punctuation\">,</span> <span class=\"token number\">24</span><span class=\"token punctuation\">,</span> v<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span></code></pre></div>\n<p>This defines the variables for each argument (= the flag stored in 8-character chunks).</p>\n<p>From here, process <code class=\"language-text\">seccomp_filter.txt</code> line by line.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\">i <span class=\"token operator\">=</span> <span class=\"token operator\">-</span><span class=\"token number\">1</span>\n<span class=\"token keyword\">with</span> <span class=\"token builtin\">open</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"seccomp_filter.txt\"</span><span class=\"token punctuation\">)</span> <span class=\"token keyword\">as</span> fp<span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">for</span> line <span class=\"token keyword\">in</span> fp<span class=\"token punctuation\">:</span>\n        i <span class=\"token operator\">+=</span> <span class=\"token number\">1</span>\n\n        <span class=\"token comment\"># 命令の抽出</span>\n        ins <span class=\"token operator\">=</span> line<span class=\"token punctuation\">.</span>split<span class=\"token punctuation\">(</span><span class=\"token string\">\"  \"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">[</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">.</span>strip<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n        <span class=\"token comment\"># print(line)</span>\n        <span class=\"token comment\"># print(ins)</span>\n\n        <span class=\"token comment\"># Return 文を無視する</span>\n        <span class=\"token keyword\">if</span> ins<span class=\"token punctuation\">.</span>startswith<span class=\"token punctuation\">(</span><span class=\"token string\">\"return \"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n            <span class=\"token keyword\">continue</span>\n\n        <span class=\"token comment\"># args[0] >> 32 のような演算を特定する</span>\n        <span class=\"token comment\"># これによって、上位 32 bit 文の文字を取得し、変数名をベクタ名に合わせる</span>\n        <span class=\"token keyword\">elif</span> <span class=\"token string\">\" >> \"</span> <span class=\"token keyword\">in</span> ins<span class=\"token punctuation\">:</span>\n            ins <span class=\"token operator\">=</span> ins<span class=\"token punctuation\">[</span><span class=\"token punctuation\">:</span><span class=\"token number\">11</span><span class=\"token punctuation\">]</span> <span class=\"token comment\"># A = args[x]</span>\n            ins <span class=\"token operator\">=</span> ins<span class=\"token punctuation\">.</span>replace<span class=\"token punctuation\">(</span><span class=\"token string\">\"args\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"args2\"</span><span class=\"token punctuation\">)</span>\n\n        <span class=\"token comment\"># if (A == 0x1337) goto 0003 のような if 文の処理を制約に追加する</span>\n        <span class=\"token keyword\">if</span> ins<span class=\"token punctuation\">.</span>startswith<span class=\"token punctuation\">(</span><span class=\"token string\">\"if (\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n            val <span class=\"token operator\">=</span> ins<span class=\"token punctuation\">.</span>split<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">[</span><span class=\"token number\">3</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">[</span><span class=\"token punctuation\">:</span><span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span> <span class=\"token comment\"># if (A == val)</span>\n            <span class=\"token keyword\">if</span> val<span class=\"token punctuation\">.</span>startswith<span class=\"token punctuation\">(</span><span class=\"token string\">\"0x\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n                val <span class=\"token operator\">=</span> <span class=\"token builtin\">int</span><span class=\"token punctuation\">(</span>val<span class=\"token punctuation\">[</span><span class=\"token number\">2</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span> <span class=\"token number\">16</span><span class=\"token punctuation\">)</span>\n            <span class=\"token keyword\">else</span><span class=\"token punctuation\">:</span>\n                val <span class=\"token operator\">=</span> <span class=\"token builtin\">int</span><span class=\"token punctuation\">(</span>val<span class=\"token punctuation\">)</span>\n\n            s<span class=\"token punctuation\">.</span>add<span class=\"token punctuation\">(</span>A <span class=\"token operator\">==</span> val<span class=\"token punctuation\">)</span>\n            <span class=\"token keyword\">continue</span>\n\n        <span class=\"token comment\"># A ^= X など、そのまま Python コードとして実行可能な行を実行する</span>\n        <span class=\"token keyword\">exec</span><span class=\"token punctuation\">(</span>ins<span class=\"token punctuation\">)</span>\n\n        <span class=\"token comment\"># 32 bit int を維持</span>\n        A <span class=\"token operator\">&amp;</span><span class=\"token operator\">=</span> <span class=\"token number\">0xffffffff</span></code></pre></div>\n<p>Finally, by solving the constraints with Z3, we can determine that the correct flag string is <code class=\"language-text\">1f_0nly_s3cc0mp_c0ulD_us3_4ll_eBPF_1nstruct10ns!</code>.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">assert</span> s<span class=\"token punctuation\">.</span>check<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">==</span> sat\nmodel <span class=\"token operator\">=</span> s<span class=\"token punctuation\">.</span>model<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\nout <span class=\"token operator\">=</span> <span class=\"token string\">b''</span>\n\n<span class=\"token comment\"># 各 arg と atg_2 の文字を連結して出力</span>\n<span class=\"token keyword\">for</span> x <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span><span class=\"token builtin\">len</span><span class=\"token punctuation\">(</span>args<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    v <span class=\"token operator\">=</span> model<span class=\"token punctuation\">[</span>args<span class=\"token punctuation\">[</span>x<span class=\"token punctuation\">]</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">.</span>as_long<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n    out <span class=\"token operator\">+=</span> <span class=\"token builtin\">bytes</span><span class=\"token punctuation\">.</span>fromhex<span class=\"token punctuation\">(</span><span class=\"token builtin\">hex</span><span class=\"token punctuation\">(</span>v<span class=\"token punctuation\">)</span><span class=\"token punctuation\">[</span><span class=\"token number\">2</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">[</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">:</span><span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span>\n    v <span class=\"token operator\">=</span> model<span class=\"token punctuation\">[</span>args2<span class=\"token punctuation\">[</span>x<span class=\"token punctuation\">]</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">.</span>as_long<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n    out <span class=\"token operator\">+=</span> <span class=\"token builtin\">bytes</span><span class=\"token punctuation\">.</span>fromhex<span class=\"token punctuation\">(</span><span class=\"token builtin\">hex</span><span class=\"token punctuation\">(</span>v<span class=\"token punctuation\">)</span><span class=\"token punctuation\">[</span><span class=\"token number\">2</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">[</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">:</span><span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span>\n<span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span>out<span class=\"token punctuation\">)</span></code></pre></div>\n<p>The full solver is below.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token comment\"># seccomp-tools dump ./chal_patched -l 8 > seccomp_filter.txt &amp;&amp; sed -i '1,2d' seccomp_filter.txt</span>\n<span class=\"token keyword\">from</span> z3 <span class=\"token keyword\">import</span> <span class=\"token operator\">*</span>\n\ns <span class=\"token operator\">=</span> Solver<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n<span class=\"token keyword\">def</span> <span class=\"token function\">add_cons</span><span class=\"token punctuation\">(</span>v<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    s<span class=\"token punctuation\">.</span>add<span class=\"token punctuation\">(</span>And<span class=\"token punctuation\">(</span>v <span class=\"token operator\">></span> <span class=\"token builtin\">ord</span><span class=\"token punctuation\">(</span><span class=\"token string\">' '</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> v <span class=\"token operator\">&lt;=</span> <span class=\"token builtin\">ord</span><span class=\"token punctuation\">(</span><span class=\"token string\">'~'</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n\nmem <span class=\"token operator\">=</span> <span class=\"token punctuation\">[</span><span class=\"token number\">0</span><span class=\"token punctuation\">,</span> <span class=\"token punctuation\">]</span><span class=\"token operator\">*</span><span class=\"token number\">16</span>\nX <span class=\"token operator\">=</span> <span class=\"token number\">0</span>\nA <span class=\"token operator\">=</span> <span class=\"token number\">0</span>\nsys_number <span class=\"token operator\">=</span> <span class=\"token number\">0x1337</span>\narch <span class=\"token operator\">=</span> <span class=\"token number\">0xc000003e</span> <span class=\"token comment\"># AUDIT_ARCH_X86_64</span>\n\n<span class=\"token comment\"># bpf is 32 bits</span>\nargs <span class=\"token operator\">=</span> <span class=\"token punctuation\">[</span><span class=\"token punctuation\">]</span>       <span class=\"token comment\"># low DWORD</span>\nargs2 <span class=\"token operator\">=</span> <span class=\"token punctuation\">[</span><span class=\"token punctuation\">]</span>      <span class=\"token comment\"># hight DWORDs</span>\n\n\n<span class=\"token comment\"># args is lower DWORD</span>\n<span class=\"token keyword\">for</span> x <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span><span class=\"token number\">6</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    v <span class=\"token operator\">=</span> BitVec<span class=\"token punctuation\">(</span><span class=\"token string\">\"arg%d\"</span><span class=\"token operator\">%</span>x<span class=\"token punctuation\">,</span> <span class=\"token number\">32</span><span class=\"token punctuation\">)</span>\n    args<span class=\"token punctuation\">.</span>append<span class=\"token punctuation\">(</span>v<span class=\"token punctuation\">)</span>\n    add_cons<span class=\"token punctuation\">(</span>Extract<span class=\"token punctuation\">(</span><span class=\"token number\">7</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">,</span> v<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n    add_cons<span class=\"token punctuation\">(</span>Extract<span class=\"token punctuation\">(</span><span class=\"token number\">15</span><span class=\"token punctuation\">,</span> <span class=\"token number\">8</span><span class=\"token punctuation\">,</span> v<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n    add_cons<span class=\"token punctuation\">(</span>Extract<span class=\"token punctuation\">(</span><span class=\"token number\">23</span><span class=\"token punctuation\">,</span> <span class=\"token number\">16</span><span class=\"token punctuation\">,</span> v<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n    add_cons<span class=\"token punctuation\">(</span>Extract<span class=\"token punctuation\">(</span><span class=\"token number\">31</span><span class=\"token punctuation\">,</span> <span class=\"token number\">24</span><span class=\"token punctuation\">,</span> v<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># args2 is upper DWORD</span>\n<span class=\"token keyword\">for</span> x <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span><span class=\"token number\">6</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    v <span class=\"token operator\">=</span> BitVec<span class=\"token punctuation\">(</span><span class=\"token string\">\"arg_2%d\"</span><span class=\"token operator\">%</span>x<span class=\"token punctuation\">,</span> <span class=\"token number\">32</span><span class=\"token punctuation\">)</span>\n    args2<span class=\"token punctuation\">.</span>append<span class=\"token punctuation\">(</span>v<span class=\"token punctuation\">)</span>\n    add_cons<span class=\"token punctuation\">(</span>Extract<span class=\"token punctuation\">(</span><span class=\"token number\">7</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">,</span> v<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n    add_cons<span class=\"token punctuation\">(</span>Extract<span class=\"token punctuation\">(</span><span class=\"token number\">15</span><span class=\"token punctuation\">,</span> <span class=\"token number\">8</span><span class=\"token punctuation\">,</span> v<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n    add_cons<span class=\"token punctuation\">(</span>Extract<span class=\"token punctuation\">(</span><span class=\"token number\">23</span><span class=\"token punctuation\">,</span> <span class=\"token number\">16</span><span class=\"token punctuation\">,</span> v<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n    add_cons<span class=\"token punctuation\">(</span>Extract<span class=\"token punctuation\">(</span><span class=\"token number\">31</span><span class=\"token punctuation\">,</span> <span class=\"token number\">24</span><span class=\"token punctuation\">,</span> v<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n\n\ni <span class=\"token operator\">=</span> <span class=\"token operator\">-</span><span class=\"token number\">1</span>\n<span class=\"token keyword\">with</span> <span class=\"token builtin\">open</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"seccomp_filter.txt\"</span><span class=\"token punctuation\">)</span> <span class=\"token keyword\">as</span> fp<span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">for</span> line <span class=\"token keyword\">in</span> fp<span class=\"token punctuation\">:</span>\n        i <span class=\"token operator\">+=</span> <span class=\"token number\">1</span>\n\n        <span class=\"token comment\"># 命令の抽出</span>\n        ins <span class=\"token operator\">=</span> line<span class=\"token punctuation\">.</span>split<span class=\"token punctuation\">(</span><span class=\"token string\">\"  \"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">[</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">.</span>strip<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n        <span class=\"token comment\"># print(line)</span>\n        <span class=\"token comment\"># print(ins)</span>\n\n        <span class=\"token comment\"># Return 文を無視する</span>\n        <span class=\"token keyword\">if</span> ins<span class=\"token punctuation\">.</span>startswith<span class=\"token punctuation\">(</span><span class=\"token string\">\"return \"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n            <span class=\"token keyword\">continue</span>\n\n        <span class=\"token comment\"># args[0] >> 32 のような演算を特定する</span>\n        <span class=\"token comment\"># これによって、上位 32 bit 文の文字を取得し、変数名をベクタ名に合わせる</span>\n        <span class=\"token keyword\">elif</span> <span class=\"token string\">\" >> \"</span> <span class=\"token keyword\">in</span> ins<span class=\"token punctuation\">:</span>\n            ins <span class=\"token operator\">=</span> ins<span class=\"token punctuation\">[</span><span class=\"token punctuation\">:</span><span class=\"token number\">11</span><span class=\"token punctuation\">]</span> <span class=\"token comment\"># A = args[x]</span>\n            ins <span class=\"token operator\">=</span> ins<span class=\"token punctuation\">.</span>replace<span class=\"token punctuation\">(</span><span class=\"token string\">\"args\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"args2\"</span><span class=\"token punctuation\">)</span>\n\n        <span class=\"token comment\"># if (A == 0x1337) goto 0003 のような if 文の処理を制約に追加する</span>\n        <span class=\"token keyword\">if</span> ins<span class=\"token punctuation\">.</span>startswith<span class=\"token punctuation\">(</span><span class=\"token string\">\"if (\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n            val <span class=\"token operator\">=</span> ins<span class=\"token punctuation\">.</span>split<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">[</span><span class=\"token number\">3</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">[</span><span class=\"token punctuation\">:</span><span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span> <span class=\"token comment\"># if (A == val)</span>\n            <span class=\"token keyword\">if</span> val<span class=\"token punctuation\">.</span>startswith<span class=\"token punctuation\">(</span><span class=\"token string\">\"0x\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n                val <span class=\"token operator\">=</span> <span class=\"token builtin\">int</span><span class=\"token punctuation\">(</span>val<span class=\"token punctuation\">[</span><span class=\"token number\">2</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span> <span class=\"token number\">16</span><span class=\"token punctuation\">)</span>\n            <span class=\"token keyword\">else</span><span class=\"token punctuation\">:</span>\n                val <span class=\"token operator\">=</span> <span class=\"token builtin\">int</span><span class=\"token punctuation\">(</span>val<span class=\"token punctuation\">)</span>\n\n            s<span class=\"token punctuation\">.</span>add<span class=\"token punctuation\">(</span>A <span class=\"token operator\">==</span> val<span class=\"token punctuation\">)</span>\n            <span class=\"token keyword\">continue</span>\n\n        <span class=\"token comment\"># A ^= X など、そのまま Python コードとして実行可能な行を実行する</span>\n        <span class=\"token keyword\">exec</span><span class=\"token punctuation\">(</span>ins<span class=\"token punctuation\">)</span>\n\n        <span class=\"token comment\"># 32 bit int を維持</span>\n        A <span class=\"token operator\">&amp;</span><span class=\"token operator\">=</span> <span class=\"token number\">0xffffffff</span>       \n\n<span class=\"token keyword\">assert</span> s<span class=\"token punctuation\">.</span>check<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">==</span> sat\nmodel <span class=\"token operator\">=</span> s<span class=\"token punctuation\">.</span>model<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\nout <span class=\"token operator\">=</span> <span class=\"token string\">b''</span>\n\n<span class=\"token comment\"># 各 arg と atg_2 の文字を連結して出力</span>\n<span class=\"token keyword\">for</span> x <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span><span class=\"token builtin\">len</span><span class=\"token punctuation\">(</span>args<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    v <span class=\"token operator\">=</span> model<span class=\"token punctuation\">[</span>args<span class=\"token punctuation\">[</span>x<span class=\"token punctuation\">]</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">.</span>as_long<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n    out <span class=\"token operator\">+=</span> <span class=\"token builtin\">bytes</span><span class=\"token punctuation\">.</span>fromhex<span class=\"token punctuation\">(</span><span class=\"token builtin\">hex</span><span class=\"token punctuation\">(</span>v<span class=\"token punctuation\">)</span><span class=\"token punctuation\">[</span><span class=\"token number\">2</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">[</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">:</span><span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span>\n    v <span class=\"token operator\">=</span> model<span class=\"token punctuation\">[</span>args2<span class=\"token punctuation\">[</span>x<span class=\"token punctuation\">]</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">.</span>as_long<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n    out <span class=\"token operator\">+=</span> <span class=\"token builtin\">bytes</span><span class=\"token punctuation\">.</span>fromhex<span class=\"token punctuation\">(</span><span class=\"token builtin\">hex</span><span class=\"token punctuation\">(</span>v<span class=\"token punctuation\">)</span><span class=\"token punctuation\">[</span><span class=\"token number\">2</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">[</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">:</span><span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span>\n<span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span>out<span class=\"token punctuation\">)</span></code></pre></div>\n<h2 id=\"not-just-mediaforensic\" style=\"position:relative;\"><a href=\"#not-just-mediaforensic\" aria-label=\"not just mediaforensic permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Not Just Media(Forensic)</h2>\n<blockquote>\n<p>I downloaded a video from the internet, but I think I got the wrong subtitles.</p>\n<p>Note: The flag is all lowercase.</p>\n</blockquote>\n<p>Analyze the MKV file provided in the challenge with <code class=\"language-text\">mkvinfo</code>.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">$ mkvinfo chal.mkv\n+ EBML <span class=\"token function\">head</span>\n<span class=\"token operator\">|</span>+ EBML version: <span class=\"token number\">1</span>\n<span class=\"token operator\">|</span>+ EBML <span class=\"token builtin class-name\">read</span> version: <span class=\"token number\">1</span>\n<span class=\"token operator\">|</span>+ Maximum EBML ID length: <span class=\"token number\">4</span>\n<span class=\"token operator\">|</span>+ Maximum EBML size length: <span class=\"token number\">8</span>\n<span class=\"token operator\">|</span>+ Document type: matroska\n<span class=\"token operator\">|</span>+ Document <span class=\"token builtin class-name\">type</span> version: <span class=\"token number\">4</span>\n<span class=\"token operator\">|</span>+ Document <span class=\"token builtin class-name\">type</span> <span class=\"token builtin class-name\">read</span> version: <span class=\"token number\">2</span>\n+ Segment: size <span class=\"token number\">25689323</span>\n<span class=\"token operator\">|</span>+ Seek <span class=\"token function\">head</span> <span class=\"token punctuation\">(</span>subentries will be skipped<span class=\"token punctuation\">)</span>\n<span class=\"token operator\">|</span>+ EBML void: size <span class=\"token number\">4012</span>\n<span class=\"token operator\">|</span>+ Segment information\n<span class=\"token operator\">|</span> + Timestamp scale: <span class=\"token number\">1000000</span>\n<span class=\"token operator\">|</span> + Multiplexing application: libebml v1.4.4 + libmatroska v1.7.1\n<span class=\"token operator\">|</span> + Writing application: mkvmerge v80.0 <span class=\"token punctuation\">(</span><span class=\"token string\">'Roundabout'</span><span class=\"token punctuation\">)</span> <span class=\"token number\">64</span>-bit\n<span class=\"token operator\">|</span> + Duration: 00:02:11.674000000\n<span class=\"token operator\">|</span> + Date: <span class=\"token number\">2024</span>-01-05 00:28:38 UTC\n<span class=\"token operator\">|</span> + Segment <span class=\"token environment constant\">UID</span><span class=\"token builtin class-name\">:</span> 0x0b 0xea 0x43 0x59 0xc7 0xd0 0x77 0xd9 0x8a 0xaf 0x19 0x68 0x93 0x40 0xd7 0xe4\n<span class=\"token operator\">|</span>+ Tracks\n<span class=\"token operator\">|</span> + Track\n<span class=\"token operator\">|</span>  + Track number: <span class=\"token number\">1</span> <span class=\"token punctuation\">(</span>track ID <span class=\"token keyword\">for</span> mkvmerge <span class=\"token operator\">&amp;</span> mkvextract: <span class=\"token number\">0</span><span class=\"token punctuation\">)</span>\n<span class=\"token operator\">|</span>  + Track <span class=\"token environment constant\">UID</span><span class=\"token builtin class-name\">:</span> <span class=\"token number\">15645917742896964978</span>\n<span class=\"token operator\">|</span>  + Track type: video\n<span class=\"token operator\">|</span>  + <span class=\"token string\">\"Lacing\"</span> flag: <span class=\"token number\">0</span>\n<span class=\"token operator\">|</span>  + Language: und\n<span class=\"token operator\">|</span>  + Codec ID: V_MPEG4/ISO/AVC\n<span class=\"token operator\">|</span>  + Codec<span class=\"token string\">'s private data: size 51 (H.264 profile: High @L3.2)\n|  + Default duration: 00:00:00.016666666 (60.000 frames/fields per second for a video track)\n|  + Language (IETF BCP 47): und\n|  + Video track\n|   + Pixel width: 1280\n|   + Pixel height: 720\n|   + Display width: 1280\n|   + Display height: 720\n| + Track\n|  + Track number: 2 (track ID for mkvmerge &amp; mkvextract: 1)\n|  + Track UID: 516687677308344442\n|  + Track type: audio\n|  + Language: und\n|  + Codec ID: A_AAC\n|  + Codec'</span>s private data: size <span class=\"token number\">5</span>\n<span class=\"token operator\">|</span>  + Default duration: 00:00:00.023219954 <span class=\"token punctuation\">(</span><span class=\"token number\">43.066</span> frames/fields per second <span class=\"token keyword\">for</span> a video track<span class=\"token punctuation\">)</span>\n<span class=\"token operator\">|</span>  + Language <span class=\"token punctuation\">(</span>IETF BCP <span class=\"token number\">47</span><span class=\"token punctuation\">)</span>: und\n<span class=\"token operator\">|</span>  + Audio track\n<span class=\"token operator\">|</span>   + Sampling frequency: <span class=\"token number\">44100</span>\n<span class=\"token operator\">|</span>   + Channels: <span class=\"token number\">2</span>\n<span class=\"token operator\">|</span> + Track\n<span class=\"token operator\">|</span>  + Track number: <span class=\"token number\">3</span> <span class=\"token punctuation\">(</span>track ID <span class=\"token keyword\">for</span> mkvmerge <span class=\"token operator\">&amp;</span> mkvextract: <span class=\"token number\">2</span><span class=\"token punctuation\">)</span>\n<span class=\"token operator\">|</span>  + Track <span class=\"token environment constant\">UID</span><span class=\"token builtin class-name\">:</span> <span class=\"token number\">4321065271376252327</span>\n<span class=\"token operator\">|</span>  + Track type: subtitles\n<span class=\"token operator\">|</span>  + <span class=\"token string\">\"Forced display\"</span> flag: <span class=\"token number\">1</span>\n<span class=\"token operator\">|</span>  + <span class=\"token string\">\"Lacing\"</span> flag: <span class=\"token number\">0</span>\n<span class=\"token operator\">|</span>  + Language: und\n<span class=\"token operator\">|</span>  + Codec ID: S_TEXT/ASS\n<span class=\"token operator\">|</span>  + Codec's private data: size <span class=\"token number\">965</span>\n<span class=\"token operator\">|</span>  + Language <span class=\"token punctuation\">(</span>IETF BCP <span class=\"token number\">47</span><span class=\"token punctuation\">)</span>: und\n<span class=\"token operator\">|</span>+ EBML void: size <span class=\"token number\">1172</span>\n<span class=\"token operator\">|</span>+ Attachments\n<span class=\"token operator\">|</span> + Attached\n<span class=\"token operator\">|</span>  + File name: NotoSansTC-Regular_0.ttf\n<span class=\"token operator\">|</span>  + MIME type: font/ttf\n<span class=\"token operator\">|</span>  + File data: size <span class=\"token number\">7110560</span>\n<span class=\"token operator\">|</span>  + File <span class=\"token environment constant\">UID</span><span class=\"token builtin class-name\">:</span> <span class=\"token number\">13897746459734659379</span>\n<span class=\"token operator\">|</span>  + File description: Imported font from Untitled.ass\n<span class=\"token operator\">|</span> + Attached\n<span class=\"token operator\">|</span>  + File name: FakeFont_0.ttf\n<span class=\"token operator\">|</span>  + MIME type: font/ttf\n<span class=\"token operator\">|</span>  + File data: size <span class=\"token number\">64304</span>\n<span class=\"token operator\">|</span>  + File <span class=\"token environment constant\">UID</span><span class=\"token builtin class-name\">:</span> <span class=\"token number\">13557627962983747543</span>\n<span class=\"token operator\">|</span>  + File description: Imported font from Untitled.ass\n<span class=\"token operator\">|</span> + Attached\n<span class=\"token operator\">|</span>  + File name: NotoSans-Regular_0.ttf\n<span class=\"token operator\">|</span>  + MIME type: font/ttf\n<span class=\"token operator\">|</span>  + File data: size <span class=\"token number\">582748</span>\n<span class=\"token operator\">|</span>  + File <span class=\"token environment constant\">UID</span><span class=\"token builtin class-name\">:</span> <span class=\"token number\">7918181187782517176</span>\n<span class=\"token operator\">|</span>  + File description: Imported font from Untitled.ass\n<span class=\"token operator\">|</span>+ Cluster</code></pre></div>\n<p>This shows that, in addition to video and audio, the file contains subtitle settings that display the text <code class=\"language-text\">我們歡迎您接受一生中最大的挑戰，即嘗試理解這段文字的含義</code>.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/0a8411d674f4d77fc1aee82973632062/19a6b/image-20240106154348057.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 52.5%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAAAsTAAALEwEAmpwYAAABsklEQVQoz51T11ICUQzdN7AgoCPNSi8iLNvYBZYiSJMqzsj//8gxybr7qKMPmeTmJucmJ7nKoOnCLdowUxasjAUz08akNMBBm2FZHWJWcjEr9jAlWVYGmOQc9NItdBINdJNNsZ3rBty0BjNWg7J1lphUXLRTOpy0ASupw06o6Gc0uCTGRQXNkzz0izJaZ0URM1aFEa2QzxOOYZ92XoJytNf4MJY46HNMC12YFKieFvAcyqIRzgmYSDgf2OyXu28JznSnHDtbbBoTaqUDK14TJwP+V5SDvpDKWlSu/4r3ej44c6Bf3a+ACyKaAeflPkYPlnDCfAg31L4WKf2twn1rhndtjk/i8p145EH0Ut7kuilVJufz+aOEPK281Ybo3+jeGhCAHikH1fFkeYLMrRGtwrp8EjvQcU/zo/ZVXXKU1dNI9o01t71TpyJ72sNt81Wq35Fme/M8xro+liGuyeY8pszP5e6U0b2F8aMtVY6zDgV5y7uqv8hCr0kvKJgB+X54Z+I13xG+GWBwa5DflqEyNVIhJ3DrDMCAMiT6IWxzVXzvnYcE1hXQfkYnrlX5Lf4WsP4ClTBLs3jjmmAAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/0a8411d674f4d77fc1aee82973632062/8ac56/image-20240106154348057.webp 240w,\n/static/0a8411d674f4d77fc1aee82973632062/d3be9/image-20240106154348057.webp 480w,\n/static/0a8411d674f4d77fc1aee82973632062/e46b2/image-20240106154348057.webp 960w,\n/static/0a8411d674f4d77fc1aee82973632062/812c2/image-20240106154348057.webp 1191w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/0a8411d674f4d77fc1aee82973632062/8ff5a/image-20240106154348057.png 240w,\n/static/0a8411d674f4d77fc1aee82973632062/e85cb/image-20240106154348057.png 480w,\n/static/0a8411d674f4d77fc1aee82973632062/d9199/image-20240106154348057.png 960w,\n/static/0a8411d674f4d77fc1aee82973632062/19a6b/image-20240106154348057.png 1191w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/0a8411d674f4d77fc1aee82973632062/d9199/image-20240106154348057.png\"\n            alt=\"image-20240106154348057\"\n            title=\"image-20240106154348057\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>However, the subtitles do not display correctly even when the video is played.</p>\n<p>Further analysis of the <code class=\"language-text\">mkvinfo</code> result shows that a suspicious font file named <code class=\"language-text\">FakeFont_0.ttf</code> is embedded in the Attachments section.</p>\n<p>I extracted only the font data with the following command.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">mkvextract attachments chal.mkv <span class=\"token number\">2</span>:FakeFont_0.ttf</code></pre></div>\n<p>As a test, I rendered the string <code class=\"language-text\">我們歡迎您接受一生中最大的挑戰，即嘗試理解這段文字的含義</code> using the extracted font data, and the correct flag was displayed.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/dae8c9c1f23d2c8322bb26e67d25debe/e088a/image-20240106161119964.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 5.416666666666667%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAABCAYAAADeko4lAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAOklEQVQI13XB0QnAMAhAwe4/W0AJgoqSv6zhKx2gd885BzNDVYkIMhMRobupKtydtRZ7b+69fGaGPy9ZpEoLMW18agAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/dae8c9c1f23d2c8322bb26e67d25debe/8ac56/image-20240106161119964.webp 240w,\n/static/dae8c9c1f23d2c8322bb26e67d25debe/d3be9/image-20240106161119964.webp 480w,\n/static/dae8c9c1f23d2c8322bb26e67d25debe/e46b2/image-20240106161119964.webp 960w,\n/static/dae8c9c1f23d2c8322bb26e67d25debe/3a6ad/image-20240106161119964.webp 1015w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/dae8c9c1f23d2c8322bb26e67d25debe/8ff5a/image-20240106161119964.png 240w,\n/static/dae8c9c1f23d2c8322bb26e67d25debe/e85cb/image-20240106161119964.png 480w,\n/static/dae8c9c1f23d2c8322bb26e67d25debe/d9199/image-20240106161119964.png 960w,\n/static/dae8c9c1f23d2c8322bb26e67d25debe/e088a/image-20240106161119964.png 1015w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/dae8c9c1f23d2c8322bb26e67d25debe/d9199/image-20240106161119964.png\"\n            alt=\"image-20240106161119964\"\n            title=\"image-20240106161119964\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>I used the following script to render the font.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">from</span> PIL <span class=\"token keyword\">import</span> Image<span class=\"token punctuation\">,</span> ImageDraw<span class=\"token punctuation\">,</span> ImageFont\n\nfont_file <span class=\"token operator\">=</span> <span class=\"token string\">'./FakeFont_0.ttf'</span>\nfont <span class=\"token operator\">=</span> ImageFont<span class=\"token punctuation\">.</span>truetype<span class=\"token punctuation\">(</span>font_file<span class=\"token punctuation\">,</span> <span class=\"token number\">40</span><span class=\"token punctuation\">)</span>\n\nimage <span class=\"token operator\">=</span> Image<span class=\"token punctuation\">.</span>new<span class=\"token punctuation\">(</span><span class=\"token string\">'RGB'</span><span class=\"token punctuation\">,</span> <span class=\"token punctuation\">(</span><span class=\"token number\">1024</span><span class=\"token punctuation\">,</span> <span class=\"token number\">300</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> color<span class=\"token operator\">=</span><span class=\"token punctuation\">(</span><span class=\"token number\">255</span><span class=\"token punctuation\">,</span> <span class=\"token number\">255</span><span class=\"token punctuation\">,</span> <span class=\"token number\">255</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\ndraw <span class=\"token operator\">=</span> ImageDraw<span class=\"token punctuation\">.</span>Draw<span class=\"token punctuation\">(</span>image<span class=\"token punctuation\">)</span>\n\ntext <span class=\"token operator\">=</span> <span class=\"token string\">\"我們歡迎您接受一生中最大的挑戰，即嘗試理解這段文字的含義\"</span>\ndraw<span class=\"token punctuation\">.</span>text<span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span><span class=\"token number\">10</span><span class=\"token punctuation\">,</span> <span class=\"token number\">10</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> text<span class=\"token punctuation\">,</span> fill<span class=\"token operator\">=</span><span class=\"token punctuation\">(</span><span class=\"token number\">0</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> font<span class=\"token operator\">=</span>font<span class=\"token punctuation\">)</span>\n\nimage_path <span class=\"token operator\">=</span> <span class=\"token string\">'./flag.png'</span>\nimage<span class=\"token punctuation\">.</span>save<span class=\"token punctuation\">(</span>image_path<span class=\"token punctuation\">)</span></code></pre></div>\n<h2 id=\"wheres-skatnetwork\" style=\"position:relative;\"><a href=\"#wheres-skatnetwork\" aria-label=\"wheres skatnetwork permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Where’s skat?(Network)</h2>\n<blockquote>\n<p>While traveling over the holidays, I was doing some casual wardriving (as I often do). Can you use my capture to find where I went?</p>\n<p>Note: the flag is irisctf{the<em>location}, where the</em>location is the full name of my destination location, not the street address. For example, irisctf{Washington_Monument}. Note that the flag is not case sensitive.</p>\n</blockquote>\n<p>Analyzing the provided PCAP file shows that it was communicating with access points having the following SSIDs.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 885px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/ce322894856d93b7ad54d06b94195bc7/efc66/image-20240106202322056.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 35.416666666666664%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAYAAAAIy204AAAACXBIWXMAAAsTAAALEwEAmpwYAAABU0lEQVQoz22Py07DMBBF8yuABKh5IFLl6URJg5M4duy0aoVALKASLOD/95exgW7oYuSxx+f42ms/DO6fWkSPNS7me1zpNS51DHaUGL8OaN41+s892NsE9ioQ0r34uXX7+qioJJIXTmxM3BrexEfUaYlinSK8XuHuNkB042NoORYxw863ykDSqkeJOmPoqgaaZos0MEK5WUhMRKwnJnq5YsiLHH7gI4xCBGGAfhiwbBcIOWE2GuM0Qs0KrK7QtA0k9doYKo00S+ETExDrjeOIsiyRZRl8n4QhCQMS9j2MNrAPzvMMe09J6e5uNhsopU5VFIVjLOsJIcAYJczzf0JNwskJFa3CwVmegXMOQ+mkpJRaY6bzP+4kPJvQ/AgnSjYMPQkkqoq+3DSut8n3+wOsw/dXvwkJsJHPCXe7nQOt1H6z6zokSeIC2N6ecd7jgfo4jh33DVwe9BF5rWlVAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/ce322894856d93b7ad54d06b94195bc7/8ac56/image-20240106202322056.webp 240w,\n/static/ce322894856d93b7ad54d06b94195bc7/d3be9/image-20240106202322056.webp 480w,\n/static/ce322894856d93b7ad54d06b94195bc7/dad35/image-20240106202322056.webp 885w\"\n              sizes=\"(max-width: 885px) 100vw, 885px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/ce322894856d93b7ad54d06b94195bc7/8ff5a/image-20240106202322056.png 240w,\n/static/ce322894856d93b7ad54d06b94195bc7/e85cb/image-20240106202322056.png 480w,\n/static/ce322894856d93b7ad54d06b94195bc7/efc66/image-20240106202322056.png 885w\"\n            sizes=\"(max-width: 885px) 100vw, 885px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/ce322894856d93b7ad54d06b94195bc7/efc66/image-20240106202322056.png\"\n            alt=\"image-20240106202322056\"\n            title=\"image-20240106202322056\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Looking up those access points on Wigle allowed me to identify the coordinates where they existed.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/56e73c4cb9b2bee798772411b40b7580/6fcb6/image-20240106202338335.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 41.25%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAICAYAAAD5nd/tAAAACXBIWXMAAAsTAAALEwEAmpwYAAABUElEQVQoz21R226CUBA8//8xTWurXIwPaiq0FK9PGMGAoIIgeIk+Tp1tMI3xYTJn9szu2d2j0jTFdrtFkiQoyxJVVQl4/o+qKsUTxzF2ux2Ox6MwQT+ZPsVip9MJ1+sVWZbhfD7jcrmgKArs9/s7aI7CEIvFQooyj2ChPM/BxtI0g+KBASaw4OFweNohwQ6Xy6UwwVzG6wfJii/8VU+lK3bHC45UF+cEZMbpKYpcuG6kXhOhPM/DfO4hCAL4vi/jPOvuMbHWjx6l6QZe3j7w2nhHs9lEo9GAYRhot9tom6ZoXdNFdzodtFotAbVu6jBvHk3TRJPVaDLD5/cIznCC2XSKwWCA4XAI13VhWRZ6vR7cHxfT251t26IdxxHdtbqwv2yJj8dj9Pt9qDjZIAhjRHGCzWZzXzpHD2+/ylXUvxpFkejVaiXaD32J0bderyX3F1MgQ9jiLPBnAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/56e73c4cb9b2bee798772411b40b7580/8ac56/image-20240106202338335.webp 240w,\n/static/56e73c4cb9b2bee798772411b40b7580/d3be9/image-20240106202338335.webp 480w,\n/static/56e73c4cb9b2bee798772411b40b7580/e46b2/image-20240106202338335.webp 960w,\n/static/56e73c4cb9b2bee798772411b40b7580/f992d/image-20240106202338335.webp 1440w,\n/static/56e73c4cb9b2bee798772411b40b7580/dff8d/image-20240106202338335.webp 1523w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/56e73c4cb9b2bee798772411b40b7580/8ff5a/image-20240106202338335.png 240w,\n/static/56e73c4cb9b2bee798772411b40b7580/e85cb/image-20240106202338335.png 480w,\n/static/56e73c4cb9b2bee798772411b40b7580/d9199/image-20240106202338335.png 960w,\n/static/56e73c4cb9b2bee798772411b40b7580/07a9c/image-20240106202338335.png 1440w,\n/static/56e73c4cb9b2bee798772411b40b7580/6fcb6/image-20240106202338335.png 1523w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/56e73c4cb9b2bee798772411b40b7580/d9199/image-20240106202338335.png\"\n            alt=\"image-20240106202338335\"\n            title=\"image-20240106202338335\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Checking those coordinates on Google Maps showed that <code class=\"language-text\">irisctf{Los_Angeles_Union_Station}</code> was the correct flag.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/dd46e58aa58a6630c939be1dcfd184f0/58fee/image-20240106202348174.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 53.333333333333336%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAAAsTAAALEwEAmpwYAAACkklEQVQoz02TOW8TURSF/WuoEBIFAkUUCNHQABWIFokOiZ4KCYmCAhAVJSUlAgQkoGASEhYntpPYcRbHW5wZJ559X/1xZ9LwpKOZufPmvHvPOVOZKIcoioKmTTEMnTzPKFbbG/LFqNPU+nyqNlnvjAjDEM/z+FnfRZ0aMHMYjIYsr+8QyzvLcqjsqTFxkhEmlAjiXJ5nNI57LEwbbKgDFn912B7qpElcElZrHTzfI48N0tCUmo/tuCUqQy0nzQqiGbaf44QzkhRq3S7vfq/xvdbmQ7XO+vaAnd6Yrb0hq8198jRgFuskoU0YBNi2g+f6VJI4LAtRFJYjBXI/yzLWugdUxy2Wmh3eL9bpjhVWt9vMrzb5s3VAEvlEfkHoyndRSXikHlPRDAvTNKVglyjaL9ZAPWGx3uZ9dZ2FlS10y8KVbmpbXRrbPQzZu69MhdAQOELq4vgysuOF2NapDnmelyhNCQbU7QOWRK/Fv21WGrv83ezy8UeD0VglSQx62pEcNIHMIjUOifttKqY4Y8npWXZKlM/kOoNNvcdyv8W31Ra98TFRHKGc6DKydGs6YohADCk0TCKPxJkSTkdUYnHA933SNOH/teON+N3fZX5ps4zIVPeYTC2+/moRiMNpZBLJmEEQiQeheBDhuDYVVTmSohBKV0UUJsoI37Fo6H0Wmi2+in6OyOGKNHsDlW9/OoS+TR5pEhld8mcJ3BKeI4Q3r17i9cunPH/xjCePH/Hg/m3evnnFxt4hH35s8Hm5KR0FhRgSmRG1Vk8088hCjTg4JStMSWV0t8jh3NkzXL98kWtz53l47y5XLpzjzq0bOBKDhZUNltY6nGgmw0NV/pAdOgdj4XaFQCvJfD8sJTMtm8mxzj+nZiFyzNOp0AAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/dd46e58aa58a6630c939be1dcfd184f0/8ac56/image-20240106202348174.webp 240w,\n/static/dd46e58aa58a6630c939be1dcfd184f0/d3be9/image-20240106202348174.webp 480w,\n/static/dd46e58aa58a6630c939be1dcfd184f0/e46b2/image-20240106202348174.webp 960w,\n/static/dd46e58aa58a6630c939be1dcfd184f0/42749/image-20240106202348174.webp 1051w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/dd46e58aa58a6630c939be1dcfd184f0/8ff5a/image-20240106202348174.png 240w,\n/static/dd46e58aa58a6630c939be1dcfd184f0/e85cb/image-20240106202348174.png 480w,\n/static/dd46e58aa58a6630c939be1dcfd184f0/d9199/image-20240106202348174.png 960w,\n/static/dd46e58aa58a6630c939be1dcfd184f0/58fee/image-20240106202348174.png 1051w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/dd46e58aa58a6630c939be1dcfd184f0/d9199/image-20240106202348174.png\"\n            alt=\"image-20240106202348174\"\n            title=\"image-20240106202348174\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h2 id=\"summary\" style=\"position:relative;\"><a href=\"#summary\" aria-label=\"summary permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Summary</h2>\n<p>It was my first CTF of the new year, but I learned a lot and had a great time.</p>\n<p>Lately, I feel like I keep running into eBPF in one way or another, so I need to study the lower layers of Linux more as well.</p>","fields":{"slug":"/ctf-irisctf-2024-en","tagSlugs":["/tag/rev-en/","/tag/forensic-en/","/tag/english/"]},"frontmatter":{"date":"2024-01-13","description":"Writeup for IrisCTF 2024","tags":["Rev (en)","Forensic (en)","English"],"title":"IrisCTF 2024 Writeup","socialImage":{"publicURL":"/static/8ae0ca03b5f4fd3a39dcc2afedc5a17e/ctf-irisctf-2024.png"}}}},"pageContext":{"slug":"/ctf-irisctf-2024-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}