Ctfのためのpython入門

CTFのための
Python入門
しらかみゅ @shiracamus
2013.12.14
SECCON2013東海大会前日勉強会

プログラミング

できる人✋

軽量言語
(スクリプト言語)

使ってる人✋
(Perl,Ruby,JS,PHP,etc.)

Python
世界では
メジャー

Python
日本では
マイナー

数値
(16/10/8/2進数)

文字
(ASCII/UTF)

エンコード
デコード
(base64/uu/rot13)

ハッシュ値
計算
(MD5/SHA1/SHA256/SHA512)

「ハッカーに
なろう」でも
http://cruel.org/freeware/hacker.html

Python
インタープリタ
必要

Linuxには
インストール
済

MacOS Xにも
インストール
済

MS Windowsには

インストール
必要

www.python.org
から

ダウンロード
インストール

最新は

3.x 系
(現在3.3.3)

CTFには

2.x 系
(現在2.7.6)

インタープリタの起動と終了
sh$ python
>>> exit
Use exit() or Ctrl-D (i.e. EOF) to exit
>>> exit()
※ 矢印キーで入力再編集
sh$
CTRL+P,N,A,E,W,K,Y等も
Pythonスクリプトファイルを実行する方法
sh$ python ファイル名

Windowsでの起動と終了
スタートメニュー
┗ Python 2.7
┗ IDLE (Python GUI) 表示量多いと重い
カーソル移動＆改行キーで入力再編集
または
┗ Python (command line)
カーソル移動キーで入力再編集
CTRL+C で入力破棄

電卓として使う
>>> 1+2*3-10/3
四則演算
4
>>> 1<<16
ビットシフト
65536
>>> 5**1024
べき乗
556268464626...12890625L
(L:長整数)
>>> 0xca ^ 0xfe
XOR (排他的論理和)
52
>>> 'A'*16+'¥x86¥x64¥xca¥xfe'
'AAAAAAAAAAAAAAAA¥x86d¥xca¥xfe'

10進数
>>> 123
123
>>> str(123)
'123'
>>> int('123')
123
>>> '%d' % 123
'123'
>>> '%8d, %08d' % (123, 123)
'
123, 00000123'

タプル

16進数
>>> hex(123)
'0x7b'
>>> 0x7b
123
>>> int('7b', 16)
123
>>> int('0x7b', 0)
123
>>> '%-8x, %08x' % (123, 123)
'7b
, 0000007b'

8進数
>>> oct(123)
'0173'
>>> int('173', 8)
123
>>> int('0173', 0)
123
>>> print '%o¥n%06o' % (123, 123)
173
000173

2進数
>>> bin(123)
'0b1111011'
>>> int('1111011', 2)
123
>>> int('0b1111011', 0)
123
>>> format(123, 'b')
'1111011'
>>> print format(123, '016b')
0000000001111011

文字
>>> ord('A')
65
>>> chr(65)
'A'
>>> hex(65)
'0x41'
>>> chr(0x41 + 1)
'B'

文字列/配列(リスト)
>>> list('abc')
['a', 'b', 'c']
>>> map(ord, 'abc')
[97, 98, 99]
>>> map(chr, [97, 98, 99])
['a', 'b', 'c']
>>> map(hex, map(ord, 'abc'))
['0x61', '0x62', '0x63']
>>> ''.join(['a', 'b', 'c'])
'abc'

部分文字列
>>> 'abcdefg'[0]
'a'
>>> 'abcdefg'[-1]
'g'
>>> 'abcdefg'[0:3]
'abc'
>>> 'abcdefg'[3:-1]
'def'
>>> 'abcdefg'[3:]
'defg'

← 先頭
← 最後

← 先頭～2 (3含まず)
← 3～最後から2番目
(-1含まず)
← 3～最後

部分文字列
>>> 'abcdefg'[:3]
'abc'
>>> 'abcdefg'[1::2]
'bdf'
>>> 'abcdefg'[::-1]
'gfedcba'

← 先頭～2 (0省略可)
← 1～最後、2置き
← -1置き＝反転

文字列分割・連結
>>> '83 69 67 67 79 78'.split()
['83', '69', '67', '67', '79', '78']
>>> '53:45:43:43:4f:4e'.split(':')
['53', '45', '43', '43', '4f', '4e']
>>> ' '.join(['83','69','67','67','79','78'])
'83 69 67 67 79 78'
>>> ':'.join(['53','45','43','43','4f','4e'])
'53:45:43:43:4f:4e'

文字分割・連結応用１
CTF問題: 83 69 67 67 79 78
>>> a = [83, 69, 67, 67, 79, 78]
>>> b = map(chr, a)
>>> b
['S', 'E', 'C', 'C', 'O', 'N']
>>> ''.join(b)
'SECCON'
>>> ''.join(map(chr, [83, 69, 67, 67, 79, 78]))
'SECCON'

文字分割・連結応用2
CTF問題: 83 69 67 67 79 78
>>> a = '83 69 67 67 79 78'.split()
>>> a
['83', '69', '67', '67', '79', '78']
>>> b = map(int, a)
>>> b
[83, 69, 67, 67, 79, 78]
>>> ''.join(map(chr, b))
'SECCON'

CTF過去問題１
https://csawctf.poly.edu/archives/2011/challenges.php

87 101 108 99 111 109 101 32 116 111 32 116 104 101 32 50
48 49 49 32 78 89 85 32 80 111 108 121 32 67 83 65 87 32 67
84 70 32 101 118 101 110 116 46 32 87 101 32 104 97 118
101 32 112 108 97 110 110 101 100 32 109 97 110 121 32 99
104 97 108 108 101 110 103 101 115 32 102 111 114 32 121
111 117 32 97 110 100 32 119 101 32 104 111 112 101 32
121 111 117 32 104 97 118 101 32 102 117 110 32 115 111
108 118 105 110 103 32 116 104 101 109 32 97 108 108 46
32 84 104 101 32 107 101 121 32 102 111 114 32 116 104
105 115 32 99 104 97 108 108 101 110 103 101 32 105 115
32 99 114 121 112 116 111 103 114 97 112 104 121 46

文字分割・連結応用3
CTF問題: 53:45:43:43:4f:4e
>>> a = '53:45:43:43:4f:4e'.split(':')
>>> a
['53', '45', '43', '43', '4f', '4e']
>>> int16 = lambda s: int(s, 16)
>>> int16('4e')
78
>>> ':'.join(map(chr, map(int16, a)))
'S:E:C:C:O:N'

16進数文字列変換
>>> 'SECCON'.encode('hex')
'534543434f4e'
>>> '534543434f4e'.decode('hex')
'SECCON'
CTF問題: 53:45:43:43:4f:4e
>>> a='53:45:43:43:4f:4e'.replace(':', '')
>>> a.decode('hex')
'SECCON'

CTF過去問題２

54:68:69:73:20:69:73:20:74:68:65:20:66:69:72:73:74:20:6d:65:73:73:61:
67:65:20:62:65:69:6e:67:20:73:65:6e:74:20:74:6f:20:79:6f:75:20:62:79:
20:74:68:65:20:6c:65:61:64:65:72:73:68:69:70:20:6f:66:20:74:68:65:20:
55:6e:64:65:72:67:72:6f:75:6e:64:20:55:70:72:69:73:69:6e:67:2e:20:49:
66:20:79:6f:75:20:68:61:76:65:20:64:65:63:6f:64:65:64:20:74:68:69:73:
20:6d:65:73:73:61:67:65:20:63:6f:72:72:65:63:74:6c:79:20:79:6f:75:20:7
7:69:6c:6c:20:6e:6f:77:20:6b:6e:6f:77:20:6f:75:72:20:6e:65:78:74:20:6d:
65:65:74:69:6e:67:20:77:69:6c:6c:20:62:65:20:68:65:6c:64:20:6f:6e:20:5
7:65:64:6e:65:73:64:61:79:20:40:20:37:70:6d:2e:20:57:65:20:77:69:6c:6
c:20:61:6c:73:6f:20:72:65:71:75:69:72:65:20:61:20:6b:65:79:20:74:6f:20
:62:65:20:6c:65:74:20:69:6e:74:6f:20:74:68:65:20:6d:65:65:74:69:6e:67:
73:3b:20:74:68:69:73:20:77:65:65:6b:1f:73:20:6b:65:79:20:77:69:6c:6c:
20:62:65:20:6f:76:65:72:74:68:72:6f:77:2e

base64
>>> 'abc'.encode('base64')
'YWJj¥n'
>>> 'YWJj¥n'.decode('base64')
'abc'
>>> print 'abc'.encode('base64')
YWJj

>>> 'YWJj'.decode('base64')
'abc'

uu
>>> print 'abc'.encode('uu')
begin 666 <data>
#86)C
(この行には空白が一つある)

end
>>> '''begin 666 <data>
#86)C
(この行には空白が一つある)

end
'''.decode('uu')
'abc'

rot13
>>> 'Hello'.encode('rot13')
'Uryyb'
>>> 'Uryyb'.decode('rot13')
'Hello'
>>> 'Uryyb'.encode('rot13')
'Hello'
>>> 'abc'.encode('rot6')
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
LookupError: unknown encoding: rot6

任意rot 関数定義
def rot(n, s):
※ インデント(字下げ)が同じ範囲がブロック範囲
"""rot(n, s) -> string
Return rotated n characters string of s.
"""
r = ''
for c in s:
if 'A' <= c <= 'Z':
r += chr((ord(c) - ord('A') + n) % 26 + ord('A'))
elif 'a' <= c <= 'z':
r += chr((ord(c) - ord('a') + n) % 26 + ord('a'))
else:
r += c
return r
print rot(-1, 'IBM')

任意rot 内包表記版
def rot(n, s):
return ''.join(chr((ord(c) - ord('A') + n) % 26 + ord('A'))
if 'A' <= c <= 'Z'
else chr((ord(c) - ord('a') + n) % 26 + ord('a'))
if 'a' <= c <= 'z'
else c
for c in s)
あるいは
rot = lambda n, s: ''.join(
chr((ord(c) - ord('A') + n) % 26 + ord('A'))
if 'A' <= c <= 'Z'
else chr((ord(c) - ord('a') + n) % 26 + ord('a'))
if 'a' <= c <= 'z'
else c
for c in s)

余談: rot13の変わった使い方
sh$ cat rot13.py
#!/usr/bin/env python
# -*- coding: rot13 -*cevag "Uryyb FRPPBA!".rapbqr("rot13")
sh$ python rot13.py

Hello SECCON!

CTF過去問題３
010011000110000101110011011101000010000001110111011001010110010101101011011100110010000001101101011
001010110010101110100011010010110111001100111001000000111011101100001011100110010000001100001001000
000110011101110010011001010110000101110100001000000111001101110101011000110110001101100101011100110
111001100101110001000000101011101100101001000000111001101100101011001010110110100100000011101000110
111100100000011000100110010100100000011001110110010101101110011001010111001001100001011101000110100
101101110011001110010000001100001001000000110110001101111011101000010000001101111011001100010000001
100010011101010111101001111010001000000110000101100010011011110111010101110100001000000111010001101
000011001010010000001101101011011110111011001100101011011010110010101101110011101000010111000100000
010101000110100001100101001000000110101101100101011110010010000001100110011011110111001000100000011
011100110010101111000011101000010000001110111011001010110010101101011011100110010000001101101011001
010110010101110100011010010110111001100111001000000110100101110011001000000111001001100101011100110
110100101110011011101000110000101101110011000110110010100101110001000000100100101100110001000000111
010001101000011001010111001001100101001000000110100101110011001000000110000101101110011110010110111
101101110011001010010000001100101011011000111001101100101001000000111100101101111011101010010000001
101011011011100110111101110111001000000110111101100110001000000111010001101000011000010111010000100
000011011010110000101111001001000000110001001100101001000000110100101101110011101000110010101110010
011001010111001101110100011001010110010000100000011010010110111000100000011010100110111101101001011
011100110100101101110011001110010000001100010011100100110100101101110011001110010000001110100011010
000110010101101101001000000111010001101111001000000111010001101000011001010010000001101101011001010
110010101110100011010010110111001100111001000000111010001101000011010010111001100100000011101110110
010101100101011010110010111000100000010010010111010000100000011101110110100101101100011011000010000
001100010011001010010000001101000011001010110110001100100001000000111001101100001011011010110010100
100000011101000110100101101101011001010010110000100000011100110110000101101101011001010010000001110
0000110110001100001011000110110010100101110

ハッシュ値
>>> import hashlib
>>> hashlib.md5('abc').hexdigest()
'900150983cd24fb0d6963f7d28e17f72'

>>> hashlib.sha1('abc').hexdigest()
'a9993e364706816aba3e25717850c26c9cd0d89d'

'ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb
410ff61f20015ad'


'ddaf35a193617abacc417349ae20413112e6fa4e89a97ea20
a9eeee64b55d39a2192992a274fc1a836ba3c23a3feebbd45
4d4423643ce80e2a9ac94fa54ca49f'

ハッシュ値簡略指定
>>> from hashlib import *
>>> md5('abc').hexdigest()
'900150983cd24fb0d6963f7d28e17f72'

>>> sha1('abc').hexdigest()
'a9993e364706816aba3e25717850c26c9cd0d89d'


'ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb
410ff61f20015ad'


'ddaf35a193617abacc417349ae20413112e6fa4e89a97ea20
a9eeee64b55d39a2192992a274fc1a836ba3c23a3feebbd45
4d4423643ce80e2a9ac94fa54ca49f'

ファイル入出力
src = open('/tmp/a', 'r')
dst = open('/tmp/b', 'w')
for line in src:
dst.write('# ' + line)
src.close()
dst.close()
data = open('/tmp/data', 'rb').read()
print data

外部コマンド実行
import subprocess
p = subprocess.Popen(['cat', '-'],
stdin = subprocess.PIPE,
stdout = subprocess.PIPE,
stderr = subprocess.STDOUT)
p.stdin.write('Hello¥n')
print p.stdout.readline()

socket通信
import socket
def solve(data):
return 'hoge'

解法処理を書く

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('123.45.67.89', 12345))
ホスト名とポート番号
for i in range(100):
s.send(solve(s.recv(1024)))
print s.recv(1024)

HTTP通信 GET
import urllib
s = urllib.urlopen('http://www.yahoo.co.jp/')
html = s.read()
s.close()
print html

HTTP通信 POST
import urllib, urllib2
data = urllib.urlencode({'name': 'admin',
'password': 'H4ck3r'})
s = urllib2.urlopen('http://www.../login', data)
html = s.read()
print html

ヘルプ
>>> help(map)
Help on built-in function map in module __builtin__:
map(...)
map(function, sequence[, sequence, ...]) -> list
Return a list of the results of applying the function to the items of
the argument sequence(s). If more than one sequence is given, the
function is called with an argument list consisting of the corresponding
item of each sequence, substituting None for missing values when not all
sequences have the same length. If the function is None, return a list of
the items of the sequence (or a list of tuples if more than one sequence).

メソッド一覧
>>> dir('')
['__add__', '__class__', '__contains__', '__delattr__', '__doc__', '__eq__',
'__format__', '__ge__', '__getattribute__', '__getitem__', '__getnewargs__',
'__getslice__', '__gt__', '__hash__', '__init__', '__le__', '__len__', '__lt__',
'__mod__', '__mul__', '__ne__', '__new__', '__reduce__', '__reduce_ex__',
'__repr__', '__rmod__', '__rmul__', '__setattr__', '__sizeof__', '__str__',
'__subclasshook__', '_formatter_field_name_split', '_formatter_parser',
'capitalize', 'center', 'count', 'decode', 'encode', 'endswith', 'expandtabs', 'find',
'format', 'index', 'isalnum', 'isalpha', 'isdigit', 'islower', 'isspace', 'istitle', 'isupper',
'join', 'ljust', 'lower', 'lstrip', 'partition', 'replace', 'rfind', 'rindex', 'rjust',
'rpartition', 'rsplit', 'rstrip', 'split', 'splitlines', 'startswith', 'strip', 'swapcase',
'title', 'translate', 'upper', 'zfill']

>>> help(''.center)
Help on built-in function center:
center(...)
S.center(width[, fillchar]) -> string

>>> 'SECCON'.center(30, '-')
'------------SECCON------------'

変数一覧
>>> locals()
{'a': [83, 69, 67, 67, 79, 78], 'int16': <function <lambda> at
0x000000000252DF28>, '__builtins__': <module '__builtin__' (built-in)>,
'__package__': None, 'b': ['S', 'E', 'C', 'C', 'O', 'N'], '__name__': '__main__',
'__doc__': None}

>>> globals()
{'hashlib': <module 'hashlib' from 'C:¥Python27¥lib¥hashlib.pyc'>, 'sha1':
<built-in function openssl_sha1>, '__builtins__': <module '__builtin__' (builtin)>, 'new': <function __hash_new at 0x000000000292A048>, '__package__':
None, 'sha224': <built-in function openssl_sha224>, 'algorithms': ('md5', 'sha1',
'sha224', 'sha256', 'sha384', 'sha512'), 'sha384': <built-in function
openssl_sha384>, '__name__': '__main__', 'sha256': <built-in function
openssl_sha256>, 'sha512': <built-in function openssl_sha512>, '__doc__':
None, 'md5': <built-in function openssl_md5>}

おしまい
ありがとうございました

Ctfのためのpython入門

More Related Content

What's hot (20)

Similar to Ctfのためのpython入門 (20)

Ctfのためのpython入門