{"id":5770,"date":"2019-12-26T00:12:35","date_gmt":"2019-12-25T15:12:35","guid":{"rendered":"http:\/\/mimumimu.net\/blog\/?p=5770"},"modified":"2019-12-26T00:59:43","modified_gmt":"2019-12-25T15:59:43","slug":"seccon-2019-final-write-up-mimura","status":"publish","type":"post","link":"https:\/\/mimumimu.net\/blog\/2019\/12\/26\/seccon-2019-final-write-up-mimura\/","title":{"rendered":"SECCON 2019 Final Write-up (Mimura)"},"content":{"rendered":"\n

\u307f\u3080\u3089\u3067\u3059\u3002
\u5148\u65e5 SECCON CTF \u304c\u884c\u308f\u308c\u3001\u53f8\u4f1a\u696d\u3057\u306a\u304c\u3089\u554f\u984c\u3082\u3072\u3068\u3064\u51fa\u984c\u3055\u305b\u3066\u9802\u304d\u307e\u3057\u305f\u3002 <\/p>\n\n\n\n

\u5f53\u65e5\u671d\u6765\u305f\u3089\u300c\u554f\u984c\u540d\u306f mimura \u306d\uff01\u300d\u3068\u306a\u3063\u3066\u3044\u307e\u3057\u305f\u3002<\/p>\n\n\n\n

\u307f\u306a\u3055\u3093\u304c\u3082\u3057\u304b\u3057\u305f\u3089\u6301\u305f\u308c\u3066\u3044\u305f\u304b\u3082\u3057\u308c\u306a\u3044\u3001
\u300c\u306a\u3093\u3060\u3088\u3001\u81ea\u5df1\u4e3b\u5f35\u5f37\u3059\u304e\u3060\u308d\u30fb\u30fb\u300d\u307f\u305f\u3044\u306a\u8a8d\u8b58\u306f\u8aa4\u308a\u3067\u3059\u3002\u3002\uff08\u82e6\u7b11\uff09<\/p>\n\n\n\n

\u5f53\u4eba\u3082\u5e74\u672b\u306b\u5fc3\u81d3\u306b\u30ea\u30a2\u30c3\u30d7\uff08\u80b2\u6bdb\u5264\uff09\u3092\u639b\u3051\u3089\u308c\u305f\u611f\u3058\u3067\u3001
\u305d\u308c\u306f\u305d\u308c\u306f\u3088\u3044\u6bdb\u304c\u751f\u3048\u305f\u6c17\u304c\u3057\u307e\u3059\u3002\u5197\u8ac7\u306f\u3053\u306e\u8fba\u306b\u3057\u3066\u3002\u3002<\/p>\n\n\n\n

\n\n\n\n

Hi, This is Mimura is author of “Mimura” challenge had provided on SECCON 2019 final.

I would have named to my challenge if I knew it will called as my name.
but in fact, I got a strong heart in exchange for the result. <\/p>\n\n\n\n

okay, enough with jokes. I’ll start explaing how to solve it:<\/p>\n\n\n\n

\n\n\n\n

\u554f\u984c\u306e\u30b9\u30c8\u30fc\u30ea\u30fc \/ Overview:<\/h2>\n\n\n\n
\"\"<\/figure>\n\n\n\n

\u30d1\u30b9\u30ef\u30fc\u30c9\u30ed\u30c3\u30af\u3055\u308c\u3066\u3044\u308b USB \u30c9\u30f3\u30b0\u30eb\u304c\u6e21\u3055\u308c\u308b\u306e\u3067
\u4e0a\u624b\u304f\u30d1\u30b9\u30ef\u30fc\u30c9\u30ed\u30c3\u30af\u3092\u89e3\u9664\u3057\u3066\u4e2d\u304b\u3089\u30d5\u30e9\u30b0\u6587\u5b57\u5217\u3092\u63a2\u3059\u3053\u3068\u304c\u76ee\u7684\u3067\u3059\u3002

\u305d\u306e\u305f\u3081\u306e\u624b\u3068\u3057\u3066\u306f\u4e0b\u8a18\u306e\u3088\u3046\u306a\u3082\u306e\u304c\u8003\u3048\u3089\u308c\u307e\u3059\u3002 (\u89e3\u304f\u305f\u3081\u306b\u5fc5\u8981\u306a\u8a33\u3067\u306f\u306a\u3044\u3067\u3059):
\u30fbUSB \u30b1\u30fc\u30d6\u30eb\u3092\u63a5\u7d9a\u3059\u308b
\u30fb\u30c7\u30d0\u30c3\u30ac\u306b\u63a5\u7d9a\u3059\u308b\u3002
\u30fb\u30d5\u30a1\u30fc\u30e0\u30a6\u30a7\u30a2\u3092\u53d6\u308a\u51fa\u3057\u3066\u89e3\u6790\u3059\u308b\u3002
\u30fb\u6539\u9020\u3057\u3066\u66f8\u304d\u623b\u3059
\u30fb\u534a\u7530\u3054\u3066\u3067\u56de\u8def\u3092\u5909\u66f4\u3059\u308b etc… <\/p>\n\n\n\n

\n\n\n\n

We provide a usb-key which seems protected by password.
you should find a password and find a flag on this device.

You can.. ( of course, you don’t have to do everything.) :
\u30fbConnect to Debugger (Hardware Emulator)
\u30fbConnect to PC
\u30fbDumping and Analyse a firmware.
\u30fbRewrite a modified firmware.
\u30fbModify the circuit with soldering iron etc..<\/p>\n\n\n\n

\n\n\n\n

\u3069\u3046\u3057\u3066\u3053\u3046\u3044\u3046\u554f\u984c\u3092\u4f5c\u308d\u3046\u3068\u601d\u3063\u305f\u304b\u3002 \/ What influenced:<\/h3>\n\n\n\n

\u30cf\u30fc\u30c9\u30a6\u30a7\u30a2\u306b\u95a2\u3059\u308b\u554f\u984c\u3092\u4f5c\u308d\u3046\u3068\u601d\u3063\u3066\u3044\u3066\u3001
\u30cf\u30fc\u30c9\u30a6\u30a7\u30a2\u30ed\u30c3\u30af\u4ed8\u304d\u306e USB \u30e1\u30e2\u30ea\u3092\u554f\u984c\u306b\u3057\u305f\u3089\u9762\u767d\u305d\u3046\u3068\u601d\u3063\u305f\u306e\u304c\u304d\u3063\u304b\u3051\u3067\u3059\u3002

\u307e\u305f\u6700\u8fd1\u306f\u696d\u52d9\u3067\u3082\u30cf\u30fc\u30c9\u30a6\u30a7\u30a2\u6a5f\u5668\u3092\u89e6\u3063\u305f\u308a\u8272\u3005\u3068\u3057\u3066\u3044\u307e\u3059\u306e\u3067
\u81ea\u5206\u306e\u4e2d\u3067\u4f5c\u554f\u3092\u901a\u3057\u3066\u3061\u3087\u3063\u3068\u7121\u7406\uff08\u5b66\u7fd2\uff09\u3092\u3057\u3066\u307f\u3088\u3046\u3068\u3044\u3046\u6c17\u6301\u3061\u3067
\u30de\u30b9\u30b9\u30c8\u30ec\u30fc\u30b8\u306b\u6311\u6226\u3057\u3066\u307f\u3088\u3046\u3068\u601d\u3044\u307e\u3057\u305f\u3002<\/p>\n\n\n\n

\n\n\n\n

I was influenced by Security USB-Key.

My main job is security researcher and developer, and I have recently been investigating of hardware device.
So, I thought to try to make mass storage device without an OS and growth up my skills.<\/p>\n\n\n\n

\n\n\n\n

\u30b9\u30c6\u30c3\u30d7\uff11\uff1a\u30cf\u30fc\u30c9\u30a6\u30a7\u30a2\u3092\u7e4b\u3054\u3046
Step1 : Let’s connect the device to your machine.<\/h2>\n\n\n\n
  • \"\"<\/figure><\/li>
  • \"\"<\/figure><\/li><\/ul><\/figure>\n\n\n\n

    \u30cf\u30fc\u30c9\u30a6\u30a7\u30a2\u3092\u7e4b\u3050\u3068\u4e0a\u8a18\u306e\u3088\u3046\u306a\uff12\u3064\u306e\u30c7\u30d0\u30a4\u30b9\u304c\u8a8d\u8b58\u3055\u308c\u307e\u3059\u3002
    You will find these devices on your machine when connect the device.<\/p>\n\n\n\n

    \n\n\n\n
    \"\"<\/figure>\n\n\n\n

    \u307e\u305f\u3001\u30de\u30b9\u30b9\u30c8\u30ec\u30fc\u30b8\u306e\u65b9\u306f\u3001\u305d\u308c\u3063\u307d\u3044\u30d5\u30a1\u30a4\u30eb\u304c\u4fdd\u5b58\u3055\u308c\u3066\u3044\u308b\u306e\u3067\u3059\u304c\u3001
    “<THIS SECTOR AREA IS PROTECTED BY HARDWARE PROTECTION>” \u3068\u8868\u793a\u3055\u308c\u3066\u3044\u3066\u3001
    \u5185\u5bb9\u304c\u8aad\u3081\u307e\u305b\u3093\u3002<\/p>\n\n\n\n

    You can find deleted file that seems would contain a flag data, but it seems protected.<\/p>\n\n\n\n

    \n\n\n\n
    \"\"<\/figure>\n\n\n\n

    COM\u306e\u307b\u3046\u306f\u3068\u3044\u3046\u3068\u3001\u7e4b\u3050\u3068\u30d1\u30b9\u30ef\u30fc\u30c9\u3092\u8981\u6c42\u3055\u308c\u3001
    \uff13\u56de\u5931\u6557\u3059\u308b\u3068\u3001\u30d1\u30b9\u30ef\u30fc\u30c9\u306e\u53d7\u4ed8\u3092\u4e00\u5207\u3057\u3066\u304f\u308c\u306a\u304f\u306a\u308a\u307e\u3059\u3002<\/p>\n\n\n\n

    Let’s check the com port. It looks like we need to input correct password via COM port.
    And if you input wrong password three times, the device going to freeze. <\/p>\n\n\n\n

    \n\n\n\n

    \u30b9\u30c6\u30c3\u30d7\uff12\uff1a\u30c7\u30d0\u30c3\u30ac\u3092\u7e4b\u3054\u3046
    Step2 : Let’s connect emulator (debugger) to device.<\/h2>\n\n\n\n
    \"\"<\/figure>\n\n\n\n

    USB\u30dd\u30fc\u30c8\u306e\u771f\u9006\u306e\u4f4d\u7f6e\u306b\u3001SWD \u30dd\u30fc\u30c8\uff08\u30c7\u30d0\u30c3\u30ac\u3092\u63a5\u7d9a\u3059\u308b\u305f\u3081\u306e\u30dd\u30fc\u30c8\uff09\u304c\u751f\u3048\u3066\u3044\u307e\u3059\u3002
    \u3053\u3053\u306b\u554f\u984c\u3068\u4e00\u7dd2\u306b\u914d\u5e03\u3057\u3066\u3044\u305f\u30b1\u30fc\u30d6\u30eb\u3092\u63a5\u7d9a\u3057\u3001\u30c7\u30d0\u30c3\u30ac (STLink) \u3068\u63a5\u7d9a\u3057\u307e\u3059\u3002<\/p>\n\n\n\n

    You can find a SWD port that uses for hardware debugging on the other side of USB port.
    You need insert a cable which we provided at beginning of the game and connect to the emulator (STLink).<\/p>\n\n\n\n

    \n\n\n\n

    \u305f\u3060\u305d\u306e\u307e\u307e\u3067\u306f\u63a5\u7d9a\u3067\u304d\u307e\u305b\u3093\u3002

    \u4e16\u306e\u4e2d\u306b\u58f2\u3089\u308c\u3066\u3044\u308b\u30cf\u30fc\u30c9\u30a6\u30a7\u30a2\u306b\u304a\u3044\u3066\u3082\u3001
    \u3053\u3046\u3044\u3046\u30c7\u30d0\u30c3\u30b0\u30dd\u30fc\u30c8\u306f\u4f55\u3089\u304b\u306e\u624b\u306b\u3088\u3063\u3066\u63a5\u7d9a\u3067\u304d\u306a\u3044\u3088\u3046\u306b\u4f5c\u3089\u308c\u3066\u3044\u307e\u3059\u3002

    \u4eca\u56de\u306e\u554f\u984c\u3067\u306f\u3001\u672c\u4f53\u306e\u30d7\u30ed\u30b0\u30e9\u30e0\u30b3\u30fc\u30c9\u306e\u5192\u982d\u3067 SWD \u30dd\u30fc\u30c8\u3092\u7121\u52b9\u306b\u3059\u308b\u3088\u3046\u306b
    \u30b3\u30fc\u30c9\u3092\u5165\u308c\u3066\u304a\u304d\u307e\u3057\u305f\u3002<\/p>\n\n\n\n

    But… you may can’t connect the device via emulator if just connect.
    Most devices disable the debug port (such as SWD, JTAG ICE and so on..) to protect “Intellectual Property” or prevent from illegal use.

    Also on this device, I insert a code to disable the SWD port at the beginning of the main program code.<\/p>\n\n\n\n

    \n\n\n\n
    \"\"<\/figure>\n\n\n\n
    \"\"
    Description of Boot Mode selection (from ST.com, en.CD00164185.pdf)<\/figcaption><\/figure>\n\n\n\n

    \u4eca\u56de\u306e\u30dc\u30fc\u30c9\u3067\u3059\u3068\u3001\u4e0a\u306b\u30b8\u30e3\u30f3\u30d1\u30b9\u30a4\u30c3\u30c1\u304c\u3042\u308a\u307e\u3057\u305f\u3002

    \u3053\u3053\u3092\u306e\u4e0a\u306e\u30d4\u30f3 (BOOT0) \u3092 “0” \u4ee5\u5916\u306b\u3059\u308b\u3053\u3068\u3067\u3001\u30e1\u30a4\u30f3\u30d5\u30a1\u30fc\u30e0\uff08\u4eca\u56de\u306e\u554f\u984c\u306e\u30d7\u30ed\u30b0\u30e9\u30e0\uff09\u4ee5\u5916\u3067\u30b7\u30b9\u30c6\u30e0\u304c\u7acb\u3061\u4e0a\u304c\u308b\u3088\u3046\u306b\u306a\u308b\u305f\u3081\u3001
    \u30d7\u30ed\u30b0\u30e9\u30e0\u306b\u3088\u3063\u3066 SWD \u306e\u7121\u52b9\u5316\u304c\u884c\u308f\u308c\u305a\u3001\u63a5\u7d9a\u53ef\u80fd\u3068\u306a\u308a\u307e\u3057\u305f\u3002

    \u305d\u306e\u4ed6\u306e\u65b9\u6cd5\u3068\u3057\u3066\u306f\u3001\u4e0a\u306e “RST” \u3068\u66f8\u304b\u308c\u305f\u30dc\u30bf\u30f3\uff08\u30ea\u30bb\u30c3\u30c8\u30dc\u30bf\u30f3\uff09\u3092\u62bc\u3057\u7d9a\u3051
    \u30d7\u30ed\u30b0\u30e9\u30e0\u81ea\u4f53\u304c\u8d77\u52d5\u3057\u306a\u3044\u72b6\u614b\u306b\u3057\u3066\u63a5\u7d9a\u3059\u308b\u3068\u3044\u3046\u65b9\u6cd5\u3082\u3042\u308a\u307e\u3059\u3002<\/p>\n\n\n\n

    \n\n\n\n

    You can control the boot mode by Jumper switch.
    If you change the BOOT0 pins ( upper pin ) to 1 (such like the photo), you can connect SWD port because the hardware will not run the challenge binary.<\/p>\n\n\n\n

    In other way, you can connect it with push and hold the RST button until connect the emulator successfully.<\/p>\n\n\n\n

    \n\n\n\n
    \"\"<\/figure>\n\n\n\n
    \"\"
    Description of Boot Mode selection (from ST.com, en.<\/em>CD00225773.pdf)<\/em> <\/figcaption><\/figure>\n\n\n\n
    \"\"
    Description of Boot Mode selection (from ST.com, en.CD00225773.pdf) <\/em> <\/figcaption><\/figure>\n\n\n\n

    \u63a5\u7d9a\u304c\u7121\u4e8b\u306b\u5b8c\u4e86\u3059\u308c\u3070\u3001\u30e1\u30e2\u30ea\u3092\u30c0\u30f3\u30d7\u3059\u308b\u30c4\u30fc\u30eb\u3092\u7528\u3044\u3066
    \u30d5\u30e9\u30c3\u30b7\u30e5\u306e\u5185\u5bb9\u3092\u629c\u304d\u51fa\u3057\u307e\u3059\u3002

    \u30a2\u30c9\u30ec\u30b9\u306b\u3064\u3044\u3066\u306f\u3001\u540c\u3058\u3088\u3046\u306b\u30c1\u30c3\u30d7\u306e\u4ed5\u69d8\u66f8\u3092\u898b\u308b\u3068
    “Flash memory” \u306f 0x08000000 \u304b\u3089 0x080FFFFF \u306b\u30a2\u30c9\u30ec\u30b9\u304c\u8a2d\u5b9a\u3055\u308c\u3066\u3044\u307e\u3059\u306e\u3067\u3001
    \u3053\u306e\u7bc4\u56f2\u3092\u898b\u306a\u304c\u3089\u30c0\u30f3\u30d7\u3092\u884c\u3044\u307e\u3059\u3002

    \u4eca\u56de\u306e\u554f\u984c\u3067\u306f 64K \u306e\u30e1\u30e2\u30ea\u304c\u7a4d\u307e\u308c\u3066\u3044\u307e\u3057\u305f\u306e\u3067\u3001
    Sector 0 \u304b\u3089 Sector 3 (0x0800FFFF) \u307e\u3067\u304c\u30a2\u30af\u30bb\u30b9\u53ef\u80fd\u306b\u306a\u3063\u3066\u3044\u308b\u304b\u3068\u601d\u3044\u307e\u3059\u3002

    \u4e0a\u8a18\u306e\u4f8b\u3067\u306f STM32 ST-Link Utility \u3092\u4f7f\u7528\u3057\u307e\u3057\u305f\u304c\u3001
    \u305d\u306e\u4ed6\u306b\u4f7f\u3044\u6163\u308c\u305f\u30d7\u30ed\u30b0\u30e9\u30de\u3084\u30c7\u30d0\u30c3\u30ac\u3092\u304a\u6301\u3061\u3067\u3042\u308c\u3070\u305d\u308c\u3092\u5229\u7528\u3057\u305f\u308a\u3057\u3066
    \u62bd\u51fa\u3059\u308c\u3070\u826f\u3044\u3068\u601d\u3044\u307e\u3059\u3002

    \u4f8b\u3048\u3070STM32 \u3092 J-Link \u5316\u3057\u305f\u3042\u3068 OpenOCD \u3067\u63a5\u7d9a\u3057\u3066\u3001
    mdw \u30b3\u30de\u30f3\u30c9\u3067 “mdw 0x8000000” \u3068\u3057\u3066\u53d6\u308a\u51fa\u3057\u305f\u308a
    dump_image \u30b3\u30de\u30f3\u30c9\u3067 “dump_image dump.bin 0x8000000 0xFFFF” \u307f\u305f\u3044\u306a\u611f\u3058\u3067
    \u62bd\u51fa\u3059\u308b\u3068\u3044\u3046\u65b9\u6cd5\u306a\u3069\u3082\u3042\u308a\u307e\u3059\u3002<\/p>\n\n\n\n

    \n\n\n\n

    After connection, you can rip the firmware from hardware with writer tool.

    According to the peripheral data sheat, You can find that the main firmware saved on a memory of 0x08000000 (Sector 0) to 0x0800FFFF (Sector 3) area.

    I used STM32 ST-Link Utility to rip the challenge program binary on this time.
    It’s also possible to rip with OpenOCD or similar tools.

    if you try to rip with OpenOCD, you can use “mdw” command (i.g. “mdw 0x8000000” ) or “dump_image” command (i.g. “dump_image dump.bin 0x8000000 0xFFFF”)<\/p>\n\n\n\n

    \n\n\n\n

    \u30b9\u30c6\u30c3\u30d7\uff13\uff1a\u30d5\u30a1\u30fc\u30e0\u30a6\u30a7\u30a2\u3092\u89e3\u6790\u3057\u3088\u3046
    Step 3 : Let’s analyse the firmware!<\/h2>\n\n\n\n
    \"\"<\/figure>\n\n\n\n

    \u666e\u6bb5\u306f IDA \u4f7f\u3044\u306a\u306e\u3067\u3059\u304c\u3001
    \u7121\u6599\u306e\u7bc4\u56f2\u3067\u30d0\u30c3\u30c1\u30ea\u3067\u304d\u308b\u3053\u3068\u3092\u78ba\u8a8d\u3059\u308b\u305f\u3081\u306b\u3001 Ghidra \u3067\u3084\u3063\u3066\u307f\u307e\u3059\u3002

    \u30d1\u30b9\u30ef\u30fc\u30c9\u3092\u5165\u529b\u3057\u305f\u3042\u3068\u306b “Checking…” \u3068\u51fa\u307e\u3059\u306e\u3067
    \u305d\u306e\u6587\u5b57\u5217\u306e\u51e6\u7406\u3092\u983c\u308a\u306b\u63a2\u3057\u3066\u307f\u308b\u3068 0x80001a8 \u4ed8\u8fd1\u306b\u30d1\u30b9\u30ef\u30fc\u30c9\u306e\u78ba\u8a8d\u51e6\u7406\u304c\u898b\u3064\u304b\u308a\u307e\u3059\u3002

    \u3053\u3053\u306e\u51e6\u7406\u3092\u898b\u308b\u3068\u4e0b\u8a18\u306e\u30eb\u30fc\u30eb\u304c\u73fe\u308c\u307e\u3059\uff1a
    \u30fb\uff11\u6587\u5b57\u76ee\u306f “O”
    \u30fb\uff13\u6587\u5b57\u76ee\u3001\uff17\u6587\u5b57\u76ee\u3001\uff11\uff11\u6587\u5b57\u76ee\u306f “e”
    \u30fb\uff19\u6587\u5b57\u76ee\u306f “a”
    \u30fb\uff11\uff10\u6587\u5b57\u76ee\u306f “m”

    \u3064\u307e\u308a\u3001\u4e0d\u660e\u306a\u90e8\u5206\u3092\u9069\u5f53\u306a\u6587\u5b57\u3067\u57cb\u3081\u308b\u3068 “O_e___e_ame!” \u3068\u306a\u308a\u307e\u3059\u3002<\/p>\n\n\n\n

    \n\n\n\n

    Let’s analyse the firmware with Ghidra!

    Looking back at the communication via serial port, the string that “checking ..” was appeared after send a password.
    At address 0x80001a8, you can find the code.

    According the code, you’ll find these rules:
    * 1st character is “O”
    * 3rd, 7th and 11th character is “e”
    * 9th character is “a”
    * 10th character is “m”

    Therefore, the password will “O_e___e_ame!”. ( I filled unknown character with “_”)<\/p>\n\n\n\n

    \n\n\n\n
    \"\"<\/figure>\n\n\n\n

    \u3084\u3063\u305f\uff01\u89e3\u3051\u307e\u3057\u305f\uff01
    Hooray! you did it!!<\/p>\n\n\n\n

    \n\n\n\n

    \u5b9f\u306f… \/ It\u2019s hard to say this, but\u2026 <\/h4>\n\n\n\n

    \u30fb\u30fb\u30fb\u3067\u3059\u3088\u306d\u3002\u3002\u3059\u307f\u307e\u305b\u3093\u3002
    \u3053\u308c\u306a\u306e\u3067\u3059\u304c\u3001\u66f8\u304d\u8fbc\u3080\u30ea\u30d3\u30b8\u30e7\u30f3\u3092\u9593\u9055\u3048\u3066\u3057\u307e\u3044\u307e\u3057\u3066\u3001
    \u7279\u5b9a\u4f4d\u7f6e\u306e\u6587\u5b57\u5217\u30c1\u30a7\u30c3\u30af\u304c\u6b20\u640d\u3057\u305f\u7248\u306b\u306a\u3063\u3066\u3044\u307e\u3057\u305f\u3002
    \u30df\u30b9\u306e\u72b6\u614b\u306e\u307e\u307e\u51fa\u984c\u3092\u884c\u3063\u3066\u3057\u307e\u3044\u7533\u3057\u8a33\u3042\u308a\u307e\u305b\u3093\u3093\u3067\u3057\u305f\u3002\u3002\u3002

    …yes, I know why you’re being wired. It’s a my fail. I’m so sorry.
    I had made a mistake that I wrote an another version firmware.
    Thus, you would not have found a 2nd, 4th, 5th, 6th and 8th character.<\/p>\n\n\n\n

    \u3053\u3053\u3067\u56de\u7b54\u3092\u671f\u5f85\u3057\u3066\u3044\u305f\u30ad\u30fc\u30ef\u30fc\u30c9\u306f “\u958b\u3051\uff01\u30b4\u30de\uff01” \u3067\u3059\u3002
    \u30a2\u30ea\u30d0\u30d0\u3068\uff14\uff10\u4eba\u306e\u76d7\u8cca\u3067\u767b\u5834\u3059\u308b\u8a71\u3067\u3059\u304c\u3001\u65e5\u672c\u3060\u3068\u300c\u30a2\u30e9\u30b8\u30f3\u300d\u3068\u304b\u305d\u3046\u3044\u3046\u8a71\u3067\u3082\u51fa\u3066\u304f\u308b\u306e\u3067\u4e16\u754c\u4e00\u822c\u4ee5\u4e0a\u306b\u65e5\u672c\u3067\u6709\u540d\u306a\u30ad\u30fc\u30ef\u30fc\u30c9\u306a\u3093\u3058\u3083\u306a\u3044\u304b\u3068\u601d\u3044\u307e\u3059\u3002\u77e5\u308a\u307e\u305b\u3093\u3051\u3069\u3002\u3002

    My expected password is “Open Sesame!”.
    This is one of the most famous words from “Alibaba and the Forty Thieves”, I think.<\/p>\n\n\n\n

    \n\n\n\n

    \u30b9\u30c6\u30c3\u30d7\uff14\uff1a\u30d5\u30a1\u30a4\u30eb\u3092\u53d6\u308a\u51fa\u305d\u3046
    Step 4 : Let’s extract the file.<\/h2>\n\n\n\n
    \"\"<\/figure>\n\n\n\n

    \u30a2\u30f3\u30ed\u30c3\u30af\u3057\u3066\u304b\u3089\u8aad\u307f\u76f4\u3059\u3068\u3001\u30d5\u30e9\u30b0\u30d5\u30a1\u30a4\u30eb\u304c\u898b\u3048\u308b\u3088\u3046\u306b\u306a\u308a\u307e\u3059\u3002
    \u3042\u3068\u306f\u3053\u308c\u3092\u5c55\u958b\u3059\u308b\u3068\u3001\u30d5\u30e9\u30b0\u304c\u51fa\u3066\u304d\u307e\u3059\u3002

    SECCON{YOU_CAN_ANALYSE_HARDWARE_DEVICE}<\/p>\n\n\n\n

    After unlocked, let’s try to find a flag file on the storage with Forensics tool.
    You can get a flag after by extracting it.

    SECCON{YOU_CAN_ANALYSE_HARDWARE_DEVICE} <\/p>\n\n\n\n

    \n\n\n\n

    FAQ \/ \u3088\u304f\u3042\u308b\u8cea\u554f<\/h2>\n\n\n\n

    Question:
    \u3000\u8a66\u3057\u3066\u307f\u305f\u3044\u306e\u3067\u3059\u304c\u3001\u8a55\u4fa1\u30dc\u30fc\u30c9\u306f\u3082\u3089\u3048\u307e\u3059\u304b\uff1f
    \u3000Can you give me the challenge board?

    Answer:
    \u3000\u3054\u3081\u3093\u306a\u3055\u3044\u3002\u3002\u3067\u3082\u3082\u3057\u304a\u4f1a\u3044\u3067\u304d\u308b\u6a5f\u4f1a\u304c\u3042\u308c\u3070\u3001\u4e8b\u524d\u306b\u304a\u6301\u3061\u3059\u308b\u3053\u3068\u306f\u53ef\u80fd\u3067\u3059\u3002
    \u3000Sorry. I can’t. but I can show you the board. please feel free to contact me.<\/p>\n\n\n\n

    Question:
    \u3000\u3069\u3046\u3057\u3066\u30d1\u30b9\u30ef\u30fc\u30c9\u3092\u89e3\u9664\u3057\u305f\u3042\u3068\u306b\u30d5\u30a1\u30a4\u30eb\u304c\u8868\u793a\u3055\u308c\u306a\u3044\u306e\u3067\u3059\u304b\uff1f
    \u3000Why didn’t show the file after unlocked?

    Answer:
    \u3000Windows \u3067\u30c6\u30b9\u30c8\u3092\u3057\u305f\u969b\u306b\u3001\u30a8\u30af\u30b9\u30d7\u30ed\u30fc\u30e9\u3084\u901a\u5e38\u306e\u65b9\u6cd5\u3067\u8aad\u307f\u51fa\u3057\u306b\u5931\u6557\u3059\u308b\u3053\u3068\u304c\u4f55\u5ea6\u304b\u78ba\u8a8d\u3067\u304d\u3066\u304a\u308a\u3001\u5f53\u8a72\u306e\u30a8\u30e9\u30fc\u306e\u89e3\u6c7a\u304c\u9593\u306b\u5408\u308f\u306a\u304b\u3063\u305f\u306e\u304c\u7406\u7531\u3067\u3059\u3002\u3002\u3059\u307f\u307e\u305b\u3093\u3002\u3002
    \u3000I’m sorry again. I found a issue that windows system can’t read FAT12 data correctly, and I couldn’t find a solution before the CTF.<\/p>\n\n\n\n

    \n\n\n\n

    \u6700\u5f8c\u306b \/ Summary and digression:<\/h2>\n\n\n\n

    \u6b21\u51fa\u3059\u3053\u3068\u304c\u3042\u308c\u3070\u3001\u3082\u3063\u3068\u3061\u3083\u3093\u3068\u81ea\u5206\u304c\u7d0d\u5f97\u3067\u304d\u308b\u554f\u984c\u3092\u63d0\u4f9b\u3057\u305f\u3044\u306a\u3068\u601d\u3063\u3066\u304a\u308a
    \u4eca\u56de\u306e\u81ea\u5206\u306e\u554f\u984c\u306f\u3001\u30bd\u30d5\u30c8\u30a6\u30a7\u30a2\u30c7\u30a3\u30d9\u30ed\u30c3\u30d1\u3068\u3057\u3066\u3001\u30e6\u30fc\u30b6\u306b\u30bd\u30d5\u30c8\u30a6\u30a7\u30a2\u3092\u63d0\u4f9b\u3059\u308b\u3053\u3068\u306e\u3042\u308b\u4eba\u9593\u3068\u3057\u3066\u306f\u3001\u30af\u30aa\u30ea\u30c6\u30a3\u304c\u4f4e\u3059\u304e\u305f\u3093\u3058\u3083\u306a\u3044\u304b\u3068\u81ea\u5206\u3067\u3082\u731b\u7701\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n\n\n\n

    \u3068\u306f\u3044\u3048\u3001\u5225\u4ef6\u306e\u3053\u3068\u3082\u3042\u308a\u307e\u3059\u3057\u3001Twitter \u3067\u8efd\u304f\u89e6\u308c\u305f\u3053\u3068\u306f\u81ea\u5206\u306e\u610f\u898b\u306b\u306f\u9593\u9055\u3044\u306a\u3044\u306e\u3067
    \u6a5f\u4f1a\u304c\u3042\u308c\u3070\u5341\u5206\u306a\u671f\u9593\u3092\u53d6\u3063\u305f\u4e0a\u3067\u3001\u554f\u984c\u306e\u30af\u30aa\u30ea\u30c6\u30a3\u3084\u51fa\u3057\u65b9\uff08\u4f55\u3092\u3059\u308c\u3070\u826f\u3044\u306e\u304b\u3092\u660e\u77ad\u306b\u3059\u308b\u3001\u554f\u984c\u30bf\u30a4\u30c8\u30eb\u3092\u307e\u3068\u3082\u306a\u30e2\u30ce\u306b\u3059\u308b\uff09\u3092\u81ea\u5206\u306e\u7d0d\u5f97\u3067\u304d\u308b\u30ec\u30d9\u30eb\u306b\u3057\u3066\u51fa\u984c\u3057\u3066\u307f\u305f\u3044\u3067\u3059\u306d\u3002<\/p>\n\n\n\n

    \u554f\u984c\u3092\u901a\u3057\u3066\u30cf\u30fc\u30c9\u30a6\u30a7\u30a2\u306b\u5bfe\u3057\u3066\u3061\u3087\u3063\u3068\u3067\u3082\u8208\u5473\u3092\u5411\u3051\u3066\u3082\u3089\u3048\u308b\u4eba\u304c\u5897\u3048\u305f\u306a\u3089
    \uff08\u30cf\u30fc\u30c9\u30a6\u30a7\u30a2\u304b\u3089\u4fe1\u983c\u3092\u7bc9\u3044\u3066\u3044\u304f\u9762\u767d\u3055\u3068\u304b\u3001\u7d14\u7c8b\u306b\u73fe\u5b9f\u4e16\u754c\u3068\u4eee\u60f3\u7a7a\u9593\u304c\u7e4b\u304c\u308b\u306e\u305f\u306e\u3057\u3044\uff01\u3068\u304b\u601d\u3063\u3066\u3082\u3089\u3048\u305f\u306a\u3089\uff09\u4eca\u56de\u51fa\u984c\u3057\u3066\u826f\u304b\u3063\u305f\u306a\u30fc\u3068\u601d\u3044\u307e\u3059\u3002<\/p>\n\n\n\n

    \u30fb\u30fb\u30fb\u53f8\u4f1a\u696d\u3092\u5f53\u65e5\u3057\u3066\u3044\u306a\u304c\u3089\u3001\u8272\u3005\u3068\u7533\u3057\u8a33\u306a\u3044\u6c17\u6301\u3061\u3068\u304b\u304c\u3042\u3063\u305f\u306e\u3067\u3059\u304c\u3001
    \u305d\u3046\u3044\u3046\u306e\u306f\u30c1\u30e9\u88cf\u3067\u3002<\/p>\n\n\n\n

    \n\n\n\n

    I think I could have improved the quality of the challenge If I had more time.
    Thus, I need to apologize to the CTF Player.

    But fortunately, some CTF players told me the challenge was interesting.
    It made me very happy.

    so I think I want to create the “CTF challenge” ( the meaning that it meets the criteria for a general CTF challenge) in the hardware genre if next seccon ctf is to be held.<\/p>\n\n\n\n

    \n\n\n\n
    \"\"<\/figure>\n\n\n\n

    \u3068\u3053\u308d\u3067\u3001\u4eca\u56de\u306e\u554f\u984c\u306f\u30b7\u30f3\u30ac\u30dd\u30fc\u30eb\u3067\u4f5c\u3063\u3066\u3044\u305f\u306e\u3067\u3059\u304c\u3001
    \u3042\u306e\u300c\u30de\u30ea\u30fc\u30ca\u30d9\u30a4\u30b5\u30f3\u30ba\u9280\u884c\u300d\u306e\u9810\u91d1\u3063\u3066\u3069\u3046\u3084\u3063\u305f\u3089\u4e0b\u308d\u305b\u308b\u3093\u3067\u3059\u304b\u306d\u3002<\/p>\n\n\n\n

    by the way, could you tell me how to withdraw the money at “Marina Bay Sands Bank” if you know.
    I think it’s the same way to get points in CTF, but it was very difficult for me….
    especially slots….<\/p>\n\n\n\n

    \u3067\u306f\u3067\u306f\uff01 Bye!<\/p>\n","protected":false},"excerpt":{"rendered":"

    \u307f\u3080\u3089\u3067\u3059\u3002\u5148\u65e5 SECCON CTF \u304c\u884c\u308f\u308c\u3001\u53f8\u4f1a\u696d\u3057\u306a\u304c\u3089\u554f\u984c\u3082\u3072\u3068\u3064\u51fa\u984c\u3055\u305b\u3066\u9802\u304d\u307e\u3057\u305f\u3002 \u5f53\u65e5\u671d\u6765\u305f\u3089\u300c\u554f\u984c\u540d\u306f mimura \u306d\uff01\u300d\u3068\u306a\u3063\u3066\u3044\u307e\u3057\u305f\u3002 \u307f\u306a\u3055\u3093\u304c\u3082\u3057\u304b\u3057\u305f\u3089\u6301\u305f\u308c\u3066\u3044\u305f\u304b\u3082\u3057\u308c\u306a\u3044\u3001\u300c\u306a\u3093\u3060 […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[21],"class_list":["post-5770","post","type-post","status-publish","format-standard","hentry","category-other","tag-seccon-ctf"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/mimumimu.net\/blog\/wp-json\/wp\/v2\/posts\/5770","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mimumimu.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mimumimu.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mimumimu.net\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/mimumimu.net\/blog\/wp-json\/wp\/v2\/comments?post=5770"}],"version-history":[{"count":0,"href":"https:\/\/mimumimu.net\/blog\/wp-json\/wp\/v2\/posts\/5770\/revisions"}],"wp:attachment":[{"href":"https:\/\/mimumimu.net\/blog\/wp-json\/wp\/v2\/media?parent=5770"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mimumimu.net\/blog\/wp-json\/wp\/v2\/categories?post=5770"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mimumimu.net\/blog\/wp-json\/wp\/v2\/tags?post=5770"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}