search

roaris / ctf-log

0 stars 0 forks source link

picoCTF: Safe Opener (Reverse Engineering) #11

Open roaris opened 3 months ago

roaris commented 3 months ago

https://play.picoctf.org/practice/challenge/294

roaris commented 3 months ago

SafeOpener.java

import java.io.*;
import java.util.*;  
public class SafeOpener {
    public static void main(String args[]) throws IOException {
        BufferedReader keyboard = new BufferedReader(new InputStreamReader(System.in));
        Base64.Encoder encoder = Base64.getEncoder();
        String encodedkey = "";
        String key = "";
        int i = 0;
        boolean isOpen;

        while (i < 3) {
            System.out.print("Enter password for the safe: ");
            key = keyboard.readLine();

            encodedkey = encoder.encodeToString(key.getBytes());
            System.out.println(encodedkey);

            isOpen = openSafe(encodedkey);
            if (!isOpen) {
                System.out.println("You have  " + (2 - i) + " attempt(s) left");
                i++;
                continue;
            }
            break;
        }
    }

    public static boolean openSafe(String password) {
        String encodedkey = "cGwzYXMzX2wzdF9tM18xbnQwX3RoM19zYWYz";

        if (password.equals(encodedkey)) {
            System.out.println("Sesame open");
            return true;
        }
        else {
            System.out.println("Password is incorrect\n");
            return false;
        }
    }
}
roaris commented 3 months ago

とりあえずコンパイルして実行してみる https://java.keicode.com/lang/how-to-compile-basic.php

javacがないので、Amazon Correttoをインストールする https://docs.aws.amazon.com/corretto/latest/corretto-21-ug/downloads-list.html

$ wget https://corretto.aws/downloads/latest/amazon-corretto-21-x64-linux-jdk.tar.gz
$ tar -zxvf amazon-corretto-21-x64-linux-jdk.tar.gz

amazon-corretto-21.0.2.14.1-linux-x64 という名前のディレクトリが作成され、amazon-corretto-21.0.2.14.1-linux-x64/binにjavacがある amazon-corretto-21.0.2.14.1-linux-x64/binをパスに追加する

コンパイルして実行する

$ javac SafeOpener.java
$ java SafeOpener
Error: LinkageError occurred while loading main class SafeOpener
        java.lang.UnsupportedClassVersionError: SafeOpener has been compiled by a more recent version of the Java Runtime (class file version 65.0), this version of the Java Runtime only recognizes class file versions up to 61.0

javaとjavacのバージョンが違うというエラーらしい(参考)

javaは/usr/binにあるものが使われており、確かにjavacとバージョンが異なる

$ which java
/usr/bin/java
$ java --version
openjdk 17.0.10 2024-01-16
OpenJDK Runtime Environment (build 17.0.10+7-Debian-1)
OpenJDK 64-Bit Server VM (build 17.0.10+7-Debian-1, mixed mode, sharing)
$ which javac
/home/roaris/amazon-corretto-21.0.2.14.1-linux-x64/bin/javac
$ javac --version
javac 21.0.2

/usr/bin/javaを/usr/bin/java-disabledにして解決

$ mv /usr/bin/java /usr/bin/java-disabled
$ which java
/home/roaris/amazon-corretto-21.0.2.14.1-linux-x64/bin/java
$ java --version
openjdk 21.0.2 2024-01-16 LTS
OpenJDK Runtime Environment Corretto-21.0.2.14.1 (build 21.0.2+14-LTS)
OpenJDK 64-Bit Server VM Corretto-21.0.2.14.1 (build 21.0.2+14-LTS, mixed mode, sharing)

実行できた

$ java SafeOpener
Enter password for the safe: a
YQ==
Password is incorrect

You have  2 attempt(s) left
Enter password for the safe: b
Yg==
Password is incorrect

You have  1 attempt(s) left
Enter password for the safe: c
Yw==
Password is incorrect

You have  0 attempt(s) left
roaris commented 3 months ago

入力した文字列をbase64エンコードした結果がcGwzYXMzX2wzdF9tM18xbnQwX3RoM19zYWYzに一致していると、Sesame openと出るようになっている

cGwzYXMzX2wzdF9tM18xbnQwX3RoM19zYWYzをbase64デコードすると、フラグが得られる

$ echo -n "cGwzYXMzX2wzdF9tM18xbnQwX3RoM19zYWYz" | base64 -d
pl3as3_l3t_m3_1nt0_th3_saf3