Syskron Security CTF Writeup - My servo drive is getting mad
Question
My servo drive sends strange parameters. Can you decode them? I have to go for lunch. mqtt.ctf.syskron-security.com:1883
Solution
MQTTで接続するようなので、簡単な受信スクリプトを書く。
過去の問題ではMQTT over WebSocketだったが、今回は普通のMQTT。
過去のWriteupは以下。
hxp CTF 2018 Writeup - time for h4x0rpsch0rr? - こんとろーるしーこんとろーるぶい
import paho.mqtt.client as mqtt def on_connect(client, userdata, flags, respons_code): print('connected') client.subscribe('#') def on_message(client, userdata, msg): print(msg.topic + ' ' + str(msg.payload)) client = mqtt.Client() client.on_connect = on_connect client.on_message = on_message client.connect('mqtt.ctf.syskron-security.com', 1883, keepalive=60)
実行する。
(venv3) root@kali:/mnt/CTF/Contest/Syskron Security CTF# python mqtchall.py connected servo/rpm b'0' servo/rpm b'0' servo/rpm b'0' servo/rpm b'0' servo/rpm b'0' servo/rpm b'0' servo/rpm b'0' servo/rpm b'0' servo/rpm b'153' servo/rpm b'147' servo/rpm b'158' servo/rpm b'152' servo/rpm b'132' servo/rpm b'151' servo/rpm b'154' servo/rpm b'147' servo/rpm b'143' servo/rpm b'160' servo/rpm b'146' servo/rpm b'154' servo/rpm b'160' servo/rpm b'207' servo/rpm b'138' servo/rpm b'139' servo/rpm b'130' servo/rpm b'0' servo/rpm b'0' servo/rpm b'0' servo/rpm b'0' servo/rpm b'0' (snip)
ASCII文字になりそう。
data = "153 147 158 152 132 151 154 147 143 160 146 154 160 207 138 139 130" decoded = "" for i in data.split(" "): decoded += (chr(int(i) ^ 0xff)) print(decoded)
実行する。
(venv3) root@kali:/mnt/CTF/Contest/Syskron Security CTF# python decode.py
flag{help_me_0ut}
